Why Math.random() is unsafe for passwords — and how to use crypto.getRandomValues instead

Why Math.random() Is Unsafe for Passwords — and How to Use crypto.getRandomValues Instead

If you have ever written a password generator in JavaScript, you may have reached for Math.random(). It works, the output looks random, and nobody will notice. Right?

Wrong. Using Math.random() for anything security-sensitive is a significant vulnerability. This article explains why, shows you the safe alternative, and covers the subtle pitfalls that even careful developers trip over.

The Problem With Math.random()

Math.random() is a Pseudo-Random Number Generator (PRNG). It produces numbers that look random, but they are entirely deterministic — the output is derived from an internal seed using a mathematical formula.