How Random Is a Random Number Generator, Really?

Updated on February 10, 2026

You're running a giveaway for 500 followers. You paste your list of names into a browser-based random picker, hit the button, and a winner pops up. Everyone claps. Fair and square, right?

Maybe. Maybe not.

Here's the uncomfortable truth: the word "random" on most online tools is doing a lot of heavy lifting. And if you've ever wondered whether that spinner, dice roller, or number generator is actually giving you real randomness — or something that just looks random — you're asking exactly the right question.

The Problem: "Random" Isn't One Thing

Most people use "random" to mean unpredictable. But in computing, there are two very different kinds of randomness, and they are not interchangeable.

The first kind is true randomness — also called hardware randomness or entropy. This comes from physical processes that are genuinely unpredictable: thermal noise in a circuit, the exact timing of radioactive decay, atmospheric interference captured by a microphone. These events can't be calculated in advance. Even with perfect knowledge of the system, you couldn't predict the next number. It's chaos in the most literal, mathematical sense.

The second kind is pseudo-randomness. This is what virtually every browser-based RNG tool uses — including the ones built into JavaScript with Math.random(). A pseudo-random number generator (PRNG) takes a starting value called a seed, runs it through a deterministic algorithm, and produces a sequence of numbers that looks statistically random. But it isn't. Given the same seed, the same algorithm produces the same sequence. Every time.

Think of it like shuffling a deck of cards using a very complicated but fixed rule. The result feels unpredictable to an observer, but if you knew the rule and the starting position, you could predict every card before it was dealt.

Why This Actually Matters

For most everyday uses — picking a random movie to watch, deciding who does the dishes, rolling dice in a casual game — pseudo-randomness is completely fine. The sequence is shuffled well enough that no human is going to reverse-engineer it in real time.

But the gap between pseudo-random and truly random starts to matter in three specific situations:

1. High-stakes giveaways and competitions. If you're choosing a winner in a public contest with real money or prizes involved, people have a legitimate interest in the process being genuinely unbiased. A PRNG that was seeded with the current system timestamp (a common implementation) could theoretically be manipulated if someone knew the exact moment the generator was initialized. This isn't paranoia — there have been documented cases of lottery fraud built on exactly this kind of PRNG predictability.

2. Online games where fairness matters. Multiplayer card games, loot boxes, or procedurally generated puzzles that use weak PRNGs can be gamed by players who figure out the pattern. This is especially relevant in competitive settings.

3. Anything cryptographic. Password generators, security tokens, encryption keys — these absolutely require true randomness. Using Math.random() for cryptographic purposes is a well-documented security mistake.

What's Inside That Browser Tool?

When you open a random number generator in your browser and click "generate," here's roughly what happens under the hood:

The tool calls JavaScript's built-in Math.random(), which returns a floating-point number between 0 and 1. That number is then scaled to whatever range you asked for. The underlying algorithm varies by browser — Chrome uses xorshift128+, Firefox uses xorshift128, Safari has used its own variant — but all of them are PRNGs. They're fast, they're well-distributed, and they're not cryptographically secure.

This doesn't mean these tools are broken or dishonest. For 99% of use cases, they work great. But you should know what you're using.

The exception is the Web Crypto API, which browsers have supported for years. When a tool uses crypto.getRandomValues() instead of Math.random(), it taps into the operating system's entropy pool — a mix of hardware events that genuinely approaches true randomness. This is cryptographically secure, and it's the right choice for anything that matters.

The Solution: Matching the Tool to the Task

Here's the practical framework I use, and you should too:

For casual games and informal decisions

Any browser RNG is fine. Rolling a number between 1 and 6 for a board game? Picking a random pizza topping? Math.random() is more than adequate. The statistical distribution is solid, and no one's trying to cheat your pizza order.

For public giveaways and competitions

Use a tool that either (a) uses crypto.getRandomValues() explicitly, or (b) pulls from a third-party entropy source. Random.org is the gold standard here — it generates numbers from atmospheric noise, which is genuine physical entropy. They've been doing this since 1998 and publish statistical tests of their outputs. If you're doing a public draw, using Random.org and screenshotting the result page gives you a transparent, defensible audit trail.

Alternatively, some tools let you enter your own seed — which seems like more control but is actually less trustworthy unless the seed itself came from a verifiable random source. A seed of "today's date" is not random. A seed pulled from a block hash on a public blockchain is much better.

For game development and app builders

Use crypto.getRandomValues() for anything that affects gameplay fairness. If you're building a card game, a loot drop system, or any feature where players could benefit from predicting outcomes, don't use Math.random(). It's a one-line change and it makes your system meaningfully more robust.

For anything cryptographic

Only use cryptographically secure random number generators. Full stop. If you're generating passwords or tokens in the browser, the Web Crypto API is your minimum bar.

A Quick Test: Is Your Favorite RNG Tool Trustworthy?

You don't need to read source code to get a rough sense of a tool's quality. Here are some signals:

  • Does it mention the method it uses? Good tools document whether they use Math.random() or crypto.getRandomValues(). If a site claims to be "truly random" without any explanation, that's a red flag.
  • Does it have a verifiable audit trail? For high-stakes use, can you link to a specific result that can't be altered after the fact? Random.org provides timestamped result pages you can save.
  • Is there a seed you can inspect? Some tools show you the seed they used, which lets you independently verify the output. That's a sign of transparency.
  • Who built it and why? A tool built by a security researcher or statistician is more likely to be technically careful than a novelty site with ads.

The Deeper Takeaway

Here's what I find genuinely interesting about this rabbit hole: the question of whether something is "truly" random touches on deep problems in physics and mathematics. Even hardware random number generators are only as random as our understanding of the physical processes they measure. Quantum effects, which underlie some premium RNG hardware, are about as close to "genuinely uncaused" as physics gets — but even that's contested terrain.

For practical purposes, though, the distinction that matters is much simpler: is the output predictable by someone who could exploit that predictability? If yes, you have a problem. If no, you're probably fine.

Most browser random generators land somewhere in the middle of that spectrum. They're not rigged. They're not broken. But they're also not the mathematical equivalent of a coin flip witnessed by the universe itself.

For your next giveaway: use Random.org, save the result link, and share it with participants. It takes thirty extra seconds and removes any doubt. For your dice app or random movie picker: whatever's already in your browser is just fine.

Know what you're using. Match it to your stakes. That's really all there is to it.