Randomizer

What is Pseudo-Randomness?

Computers are deterministic machines — they execute instructions in a predictable sequence. True randomness requires a physical source of entropy: radioactive decay, atmospheric noise, or thermal fluctuations. Since most programs cannot access these sources directly, they use pseudo-random number generators (PRNGs) instead.

A PRNG is a mathematical algorithm that produces a sequence of numbers that appears random but is actually completely determined by an initial value called the seed. Given the same seed, a PRNG will always produce the same sequence. This determinism is invisible in normal use because the seed is typically derived from unpredictable sources like the system clock or mouse movements.

The quality of a PRNG is measured by how well its output resists statistical analysis. A good PRNG produces sequences that pass randomness tests — uniform distribution, no detectable patterns, long periods before repeating. But statistical randomness is not the same as cryptographic security.

Math.random() vs crypto.getRandomValues()

JavaScript provides two fundamentally different approaches to randomness:

Math.random() returns a floating-point number between 0 (inclusive) and 1 (exclusive). It uses a PRNG algorithm (typically xorshift128+ in modern engines) that is fast and statistically adequate for most purposes. However, it is not cryptographically secure — the internal state can be reconstructed from observed outputs, allowing an attacker to predict future values.

crypto.getRandomValues() fills a typed array with cryptographically strong random values drawn from the operating system’s entropy pool (/dev/urandom on Linux, CryptGenRandom on Windows). These values are suitable for security-sensitive applications like generating passwords, encryption keys, and session tokens.

Property	Math.random()	crypto.getRandomValues()
Speed	Very fast	Slightly slower
Seed	Internal (auto)	OS entropy pool
Predictable	Yes (if state known)	No
Use case	Games, shuffles, UI	Passwords, tokens, crypto
Output	Float 0-1	Integer array

The rule of thumb is simple: if someone could gain an advantage by predicting the “random” values, use crypto.getRandomValues(). For everything else, Math.random() is fine.

The Fisher-Yates Shuffle

The Fisher-Yates shuffle (also known as the Knuth shuffle) is the standard algorithm for randomly reordering a list. It produces an unbiased permutation — every possible ordering has exactly equal probability.

The algorithm works in-place by iterating from the last element to the first. At each position, it swaps the current element with a randomly chosen element from the remaining unshuffled portion:

for i from n-1 down to 1:
    j = random integer from 0 to i
    swap array[i] and array[j]

A common mistake is the “naive shuffle” which picks a random position from the entire array at each step. This produces a biased distribution — some permutations appear more frequently than others. The Fisher-Yates algorithm avoids this by shrinking the selection range at each step.

Seeded Randomness for Reproducibility

While unpredictability is usually the goal, there are cases where you want randomness to be reproducible:

• Testing: Deterministic tests that use random data need the same sequence every run to avoid flaky results
• Procedural generation: Games and simulations generate the same world from the same seed, enabling shareable “world seeds” (Minecraft, Terraria)
• Scientific simulations: Monte Carlo methods require reproducible random sequences for peer review and validation

JavaScript’s Math.random() does not support explicit seeding. For seeded randomness, use libraries that implement seedable PRNGs like Mersenne Twister or mulberry32.

Common Use Cases

• Random selection: Picking winners from a contest, selecting random items for review, or choosing A/B test groups
• Shuffling: Randomizing quiz questions, playlist order, card decks, or presentation slides
• Sampling: Drawing a random subset from a large dataset for analysis or testing
• Procedural generation: Creating random but deterministic content — maps, textures, names, or test data
• Load balancing: Randomly distributing requests across servers to avoid hotspots (with weighted randomness for unequal server capacities)