True Random vs Pseudo-Random Numbers: What's the Difference?

Published by TheRandomNumber.com

Every piece of software that generates a "random" number is doing one of two very different things: it is either producing a number that looks random using a mathematical formula, or it is drawing on genuine physical unpredictability from the real world. These two approaches — pseudo-random and cryptographically random — produce sequences that are often indistinguishable to the eye but differ significantly in how predictable they are to someone trying to crack them.

For most everyday uses, the distinction doesn't matter much. For some uses, it matters enormously.

What is a pseudo-random number generator (PRNG)?

A pseudo-random number generator (PRNG) is an algorithm that takes a starting value called a seed and applies a mathematical formula repeatedly to produce a sequence of numbers. The sequence looks random — the numbers are spread fairly evenly across the available range, and there is no obvious pattern — but it is entirely deterministic. Given the same seed, the same algorithm will always produce exactly the same sequence of numbers.

The most common example in web development is JavaScript's Math.random(). Under the hood, most browsers implement it using an algorithm called xorshift128+ or a similar PRNG. It is fast, it produces reasonable-looking randomness for most purposes and it requires no special hardware. But it is seeded by the browser, and while that seed is not easily guessable, the output is technically reproducible if you know the seed and the algorithm.

PRNGs have been the workhorse of computing for decades. They are used in games, simulations, statistical sampling and anywhere that "good enough" randomness is acceptable and performance matters.

What is a cryptographically secure random number generator (CSPRNG)?

A cryptographically secure random number generator (CSPRNG) is a different beast. Instead of relying on a mathematical formula, it draws from genuine physical entropy — real-world unpredictability that cannot be reproduced. Modern operating systems collect this entropy from sources like hardware timing events, CPU state, keyboard and mouse input, and other signals that vary in ways that are genuinely difficult to predict.

In a browser, this is exposed through the Web Cryptography API as window.crypto.getRandomValues(). When you call this function, the browser draws from the operating system's entropy pool to produce numbers that are not just statistically uniform but are cryptographically unpredictable — meaning that even if someone knows the algorithm and has observed previous outputs, they cannot reasonably predict the next number.

This is the standard used in password generation, encryption key creation, session tokens and anything where the stakes of predictability are high.

Why does the distinction matter?

For most everyday uses — picking a lottery number, rolling a virtual die, selecting a name from a hat — the practical difference between a PRNG and a CSPRNG is negligible. Neither source of randomness will help you win the lottery more often, and a game result generated by Math.random() is not meaningfully less "fair" than one generated by the crypto API.

The distinction matters in two specific scenarios. The first is security. If you are generating passwords, encryption keys, authentication tokens or anything that needs to be genuinely unguessable, a PRNG is inadequate. An attacker who can observe some of your outputs or knows the time your system started may be able to reconstruct the seed and predict future values. A CSPRNG makes this computationally infeasible.

The second scenario is high-stakes fairness. In gambling systems, regulated lotteries and competitive randomisation, using a CSPRNG is a stronger guarantee of integrity — not because a PRNG would obviously produce biased results, but because a CSPRNG provides provable unpredictability that can withstand scrutiny. A well-designed PRNG is fine for most games; a CSPRNG is simply more defensible.

What about "true" random numbers from hardware?

There is a third category: hardware random number generators (HRNGs), which derive randomness from physical processes like thermal noise, radioactive decay or atmospheric noise. Services like random.org use atmospheric radio noise as their source. This is arguably "more" random than a CSPRNG, because it draws on processes that are fundamentally non-deterministic at the quantum level.

In practice, for the vast majority of applications, the difference between a well-seeded CSPRNG and a true HRNG is academic. Both produce sequences that pass statistical randomness tests, and neither gives you any advantage in a lottery or game. The HRNG has philosophical appeal — there is something satisfying about randomness rooted in physical reality — but it is not functionally superior for everyday use.

How do you tell which an online tool is using?

Most tools do not disclose this. If a tool is serious about randomness, it will tell you which API or algorithm it uses. If it does not say, it is most likely using Math.random() — which is fine for casual use but worth knowing.

TheRandomNumber.com uses window.crypto.getRandomValues() for every result — the browser's cryptographic API, not Math.random(). Try the Random Number Generator to generate a number in any range with genuine cryptographic randomness.

The bottom line

For rolling dice, picking lottery numbers, flipping a virtual coin or selecting a winner from a list, the difference between pseudo-random and cryptographically random is largely irrelevant to the fairness of the result. For anything security-sensitive — passwords, tokens, keys — a CSPRNG is non-negotiable. Knowing which your tool uses is simply a matter of being informed, and increasingly, the better tools make it easy to find out.

This article is intended for general educational purposes. For security-critical applications, consult a security professional and use vetted cryptographic libraries appropriate to your platform.