Generators
Analyzers
Utilities
Blog About Contact

Cryptographic Random Number Generator

True random numbers from your browser's CSPRNG. Decimal, hex, binary, octal.

100% Client-Side No Data Leaves Your Browser Free & No Signup 
Click "Generate" to create random numbers...

CSPRNG vs PRNG: Why It Matters

A pseudorandom number generator (PRNG) like Math.random() uses a deterministic algorithm seeded by a single value. Given the seed, every output is predictable. This is fine for games and simulations where reproducibility is acceptable, but catastrophic for security.

A cryptographically secure PRNG (CSPRNG) like the Web Crypto API draws entropy from unpredictable hardware sources (CPU timing jitter, interrupt timing, mouse movements) and uses algorithms designed to resist prediction even if part of the internal state is compromised. The output is computationally indistinguishable from true randomness.

Use Cases for Cryptographic Random Numbers

  • Lotteries and fair draws: Provably fair selection requires unpredictable numbers that cannot be manipulated or predicted by any participant.
  • Cryptographic key generation: Encryption keys, nonces, and initialization vectors must be generated from a CSPRNG to prevent key-recovery attacks.
  • Monte Carlo simulations: Statistical simulations benefit from high-quality randomness to avoid systematic biases in results.
  • Gaming and gambling: Online gaming platforms use CSPRNGs to ensure fairness and compliance with regulatory requirements.
  • Token generation: Session tokens, CSRF tokens, and password reset tokens need cryptographic randomness to prevent forgery.

How the Web Crypto API Works

The crypto.getRandomValues() method fills a typed array with cryptographically strong random values. Under the hood, it delegates to the operating system's entropy source:

  • Linux/macOS: /dev/urandom backed by the kernel's entropy pool (ChaCha20-based on modern kernels)
  • Windows: BCryptGenRandom (formerly CryptGenRandom)
  • All platforms: The browser may mix in additional entropy sources like CPU RDRAND instructions

This API is available in all modern browsers and is the recommended way to generate random values in web applications.

Why Math.random() Is Insecure

Math.random() in V8 (Chrome/Node.js) uses the xorshift128+ algorithm with a 128-bit state. Researchers have demonstrated that with just a few outputs, the entire state can be recovered, allowing prediction of all future values. In SpiderMonkey (Firefox) and JavaScriptCore (Safari), similar weaknesses exist.

In 2015, a security researcher showed that Math.random() in Chrome could be fully predicted after observing just 5 consecutive outputs. This makes it completely unsuitable for any security application.

Frequently Asked Questions

What makes these random numbers cryptographically secure?

This tool uses the Web Crypto API (crypto.getRandomValues()), which is a cryptographically secure pseudorandom number generator (CSPRNG) built into your browser. It draws entropy from your operating system's random number source (e.g., /dev/urandom on Linux, CryptGenRandom on Windows), making it suitable for security-sensitive applications.

Why not use Math.random()?

Math.random() uses a PRNG algorithm (typically xorshift128+) that is not cryptographically secure. Its output is predictable — given enough samples, an attacker can reconstruct the internal state and predict future values. Never use Math.random() for tokens, passwords, cryptographic keys, or anything security-related.

Can I generate truly random numbers in a browser?

Browsers provide cryptographically secure pseudorandom numbers via the Web Crypto API, which is the gold standard for software-based randomness. True hardware randomness (from radioactive decay, atmospheric noise, etc.) requires specialized hardware. For all practical purposes, CSPRNG output is indistinguishable from true randomness.

What output formats are supported?

This tool supports four output formats: Decimal (base 10, e.g., 42), Hexadecimal (base 16, e.g., 0x2A), Binary (base 2, e.g., 0b101010), and Octal (base 8, e.g., 052). All formats represent the same underlying random value.

Is there a limit to how many numbers I can generate?

You can generate up to 100 numbers at once using this tool. The Web Crypto API itself has no practical limit — it can fill arrays of up to 65,536 bytes per call. For bulk generation beyond 100, simply click generate multiple times.