PickRandom LogoPickRandom

Learn

Pseudo-Random vs. True Random: What Your Computer Actually Does

6 min read

A computer is, by design, the least random thing you own. Give a CPU the same instructions and the same inputs and it will produce the same output every single time — that determinism is the whole point. So when a program hands you a “random” number, something interesting has to be going on. Broadly, there are two answers, and the difference between them matters more than most people expect.

Pseudo-random: determinism in disguise

A pseudo-random number generator (PRNG) is an ordinary algorithm. It keeps a chunk of internal state, and each time you ask for a number it scrambles that state with a fixed recipe and hands you part of the result. Start it from the same initial state — the seed — and it will replay exactly the same sequence, forever. Nothing about it is random; it is merely hard to predict if you don’t know the seed.

Well-known PRNG designs include:

  • xorshift generators, which mix state using shifts and XORs — tiny, extremely fast, and good enough statistically for games and simulations
  • PCG (permuted congruential generator), which post-processes a simple linear generator to fix its statistical weaknesses
  • Mersenne Twister, the long-time default in many languages, with an enormous period of 2^19937 − 1

JavaScript’s Math.random() belongs to this family. In V8 (Chrome, Node.js) it is implemented as xorshift128+: 128 bits of internal state, scrambled with a handful of shift and XOR operations per call. It is seeded once when the engine starts, and from that moment the entire sequence is fixed. Observe a few consecutive outputs and the internal state can be reconstructed — after which every “random” number the page will ever produce is known in advance. That is fine for a dice animation and disastrous for a password.

True random: harvesting the physical world

True randomness has to come from outside the algorithm — from physical processes whose outcomes are genuinely unpredictable. Your operating system collects exactly this. It gathers entropy from sources like the precise nanosecond timing of keystrokes, mouse movement, disk and network interrupts, and on modern CPUs a hardware instruction that samples thermal noise in the silicon. All of it is mixed into an entropy pool.

Programs don’t read that pool raw. Instead, the OS uses it to seed — and continuously reseed — a cryptographically secure pseudo-random number generator (CSPRNG), exposed through interfaces like /dev/urandom or the getrandom() system call on Linux. A CSPRNG is still an algorithm, but one built so that even an attacker who sees megabytes of its output cannot work backwards to the state or forwards to the next byte. In the browser, this OS facility is what backs crypto.getRandomValues():

// One unpredictable 32-bit integer, from OS entropy
const buf = new Uint32Array(1);
crypto.getRandomValues(buf);
console.log(buf[0]);

Which one do you actually need?

“Random enough” is always relative to what an adversary — or just bad luck — could do with a prediction. A useful way to sort your use cases:

  • Simulations, games, procedural art — a fast statistical PRNG like xorshift or PCG is ideal; reproducibility from a seed is often a feature, not a bug
  • Anything with stakes — passwords, tokens, raffles with prizes, shuffling for real money — use a CSPRNG, because predictability is exactly what an attacker exploits
  • Scientific work — a seeded PRNG lets colleagues reproduce your results bit-for-bit; true randomness would make that impossible

The cost difference that once justified reaching for Math.random() has mostly evaporated — a modern CSPRNG produces numbers far faster than any web page needs them. That is why every tool on PickRandom draws from crypto.getRandomValues(): when the result of a draw matters to someone, there is no reason to accept a generator whose future can be computed from its past.

The takeaway is simple. Pseudo-random means “deterministic, but statistically well-behaved.” True random means “rooted in physics the algorithm cannot see.” Your computer uses both, layered: physical entropy seeds a secure generator, and that generator feeds everything above it. Knowing which layer you’re drawing from is the difference between a fair draw and one that only looks fair.

Try it yourself

  • Number Generator Generate random numbers within a specified range. Perfect for lotteries or simulations.
  • Flip a Coin Toss a virtual coin for an instant heads-or-tails answer. Perfect for settling quick two-way decisions.

← Back to all guides