A random generator produces unpredictable values — numbers, strings, colors, or dice rolls — for decisions, games, testing, security, and creative inspiration. But not all randomness is equal: using the wrong type of random generation can create security vulnerabilities or unfair outcomes.
This guide covers the three types of randomness (pseudo, cryptographic, true), common generation scenarios with ranges, developer use cases for UUIDs and test data, fairness/bias pitfalls, and code examples for correct random generation.
Generate Random Values Instantly — Numbers, Strings, UUIDs, Dice
All generation types in one tool. CSPRNG for passwords and tokens. 100% browser-based.
Three Types of Random Generation
| Type | How It Works | Speed | Use For | NOT For |
|---|---|---|---|---|
| Pseudo-random (PRNG) | Algorithm from seed value | Very fast | Games, simulations, UI shuffles | Passwords, tokens, crypto |
| Cryptographic (CSPRNG) | OS entropy (hardware noise, timing) | Fast | Passwords, API keys, tokens, encryption | Nothing — safe for all uses |
| True random (TRNG) | Physical phenomena (radioactive decay, atmospheric noise) | Slow | Lotteries, scientific research, key generation | High-throughput needs |
Math.random() is PRNG — predictable if the seed is known. NEVER use it for passwords, tokens, session IDs, or any security-sensitive purpose. Use crypto.getRandomValues() (browser) or crypto.randomBytes() (Node.js) instead. ToolsArena uses CSPRNG for all security-related generation.
Random Number Generation: Ranges & Common Scenarios
| Scenario | Range | Example | Method |
|---|---|---|---|
| Coin flip | 0-1 or 1-2 | 0=Heads, 1=Tails | PRNG fine |
| Standard dice (D6) | 1-6 | Board games, D&D | PRNG fine |
| D20 (tabletop RPG) | 1-20 | Dungeons & Dragons | PRNG fine |
| Playing card | 1-52 | Card games | PRNG fine |
| Lottery (India Lotto) | 1-49, pick 6 | Must be truly random | TRNG required |
| Percentage chance | 1-100 | Drop rates, A/B tests | PRNG fine |
| PIN code | 0000-9999 | ATM, app lock | CSPRNG required |
| OTP | 000000-999999 | 2FA codes | CSPRNG required |
JavaScript: Math.floor(Math.random() * (max - min + 1)) + min
For 1-6: Math.floor(Math.random() * 6) + 1
For CSPRNG: crypto.getRandomValues(new Uint32Array(1))[0] % (max - min + 1) + min
Random String & Password Generation
Character Sets
| Set | Characters | Count | Use Case |
|---|---|---|---|
| Lowercase | a-z | 26 | URL slugs, simple IDs |
| Alphanumeric | a-z, A-Z, 0-9 | 62 | Tokens, short URLs |
| Full ASCII | a-z, A-Z, 0-9, symbols | 95 | Passwords |
| Hex | 0-9, a-f | 16 | Colors, hashes, keys |
Entropy by Length
| Length | Alphanumeric (62) | Full ASCII (95) |
|---|---|---|
| 8 chars | 47.6 bits | 52.6 bits |
| 12 chars | 71.5 bits | 78.8 bits |
| 16 chars | 95.3 bits | 105.1 bits |
| 32 chars | 190.5 bits | 210.2 bits |
For passwords: 12+ characters from full ASCII set (78+ bits entropy). For API tokens: 32+ alphanumeric characters (190+ bits).
UUID Generation: When & Why
UUID v4 = 122 random bits = 5.3 × 1036 possible values.
Collision Probability
Generating 1 billion UUIDs per second for 100 years: probability of a single collision ≈ 0.00000000006%. For all practical purposes: zero.
When to Use UUIDs
- Database primary keys — no central counter needed, safe for distributed systems
- Session tokens — unguessable identifiers
- File names — unique upload filenames, no collision with existing files
- Idempotency keys — prevent duplicate API operations
- Event tracking — unique IDs for analytics events
UUID Format
550e8400-e29b-41d4-a716-446655440000
^^^^^^^^-^^^^-4^^^-[89ab]^^^-^^^^^^^^^^^^
(v4 marker) (variant)UUID v7 (2024+) embeds a timestamp, making it sortable by creation time — better for database indexes. UUID v4 is purely random. For new projects, consider v7 if your database benefits from sorted keys (PostgreSQL, most SQL databases).
Random Generation for Developers
Test Data Generation
- Load testing — Random user profiles, addresses, transactions for API stress tests
- UI testing — Random string lengths to test layout overflow, edge cases
- Database seeding — Realistic but randomized data for development environments
- Fuzz testing — Random inputs to find crashes and security vulnerabilities
Code Examples
// JavaScript — random integer in range
const randInt = (min, max) => Math.floor(Math.random() * (max - min + 1)) + min;
// JavaScript — cryptographic random string
const randString = (len) => {
const arr = crypto.getRandomValues(new Uint8Array(len));
return Array.from(arr, b => b.toString(36).padStart(2, '0')).join('').slice(0, len);
};
// Python — random choice from list
import random
random.choice(['red', 'blue', 'green'])
// Python — cryptographic token
import secrets
secrets.token_urlsafe(32) # 32-byte URL-safe tokenFairness, Bias & Common Mistakes
Modulo Bias
Mapping a large range to a smaller one using modulo (%) creates slight bias. Example: rand() % 6 where rand() returns 0-7 gives 0 and 1 a higher probability (2/8) than 2-5 (1/8). Modern libraries handle this — but raw modulo on crypto random bytes has this issue.
Fisher-Yates Shuffle
The only correct way to shuffle an array. array.sort(() => Math.random() - 0.5) is biased — some permutations are more likely than others. Use Fisher-Yates:
for (let i = arr.length - 1; i > 0; i--) {
const j = Math.floor(Math.random() * (i + 1));
[arr[i], arr[j]] = [arr[j], arr[i]];
}Common Mistakes
- Using Math.random() for security — predictable, not cryptographic
- Same seed in production — reproducible sequences are exploitable
- Expecting no streaks — 5 heads in a row is normal randomness, not a bug
- Small sample conclusions — 10 rolls averaging 4.2 instead of 3.5 does not mean the generator is biased
How to Use the Tool (Step by Step)
- 1
Open the Random Generator
Navigate to the tool on ToolsArena — no signup needed.
- 2
Choose Generation Type
Select number, string, password, color, UUID, or dice roll.
- 3
Set Parameters
Define range (min-max), length, character set, or count of results.
- 4
Generate
Click generate and see results instantly.
- 5
Copy
Copy individual results or the entire batch to your clipboard.
Frequently Asked Questions
Is Math.random() truly random?+−
No. Math.random() is pseudo-random (PRNG) — algorithm-based and deterministic from a seed. It is fine for games, UI animations, and non-security purposes. For passwords, tokens, and encryption, use crypto.getRandomValues() which is cryptographically secure (CSPRNG).
What is a UUID and when should I use one?+−
UUID (Universally Unique Identifier) v4 has 122 random bits — collision probability is effectively zero even generating billions. Use for database primary keys, session tokens, file names, idempotency keys, and any case where you need a unique ID without a central counter.
How do I generate a random number in a specific range?+−
JavaScript formula: Math.floor(Math.random() * (max - min + 1)) + min. For a dice roll (1-6): Math.floor(Math.random() * 6) + 1. For cryptographic quality, replace Math.random() with crypto.getRandomValues().
Can random generators be biased?+−
Yes, if poorly implemented. Modulo bias occurs when mapping a larger range to a smaller one unevenly. Also, using array.sort(() => Math.random() - 0.5) for shuffling produces biased results. Use Fisher-Yates shuffle and proper range mapping for unbiased output.
What is the difference between PRNG and CSPRNG?+−
PRNG (Pseudo-Random Number Generator) is algorithm-based — fast but predictable if the seed is known. CSPRNG (Cryptographically Secure PRNG) uses OS entropy sources — unpredictable even if the algorithm is known. CSPRNG is safe for all purposes; PRNG is only safe for non-security uses.
How long should a random API token be?+−
32 characters alphanumeric (190 bits entropy) is the minimum for API tokens. 64 characters provides ample margin. Always use CSPRNG generation (not Math.random()). In Node.js: crypto.randomBytes(32).toString('hex') gives a 64-character hex token.
Is this tool free and private?+−
Yes. All random generation happens in your browser using JavaScript. No values are sent to any server or stored anywhere.
Generate Random Values Instantly — Numbers, Strings, UUIDs, Dice
All generation types in one tool. CSPRNG for passwords and tokens. 100% browser-based.
Open Random Generator →Related Guides
Password Strength Checker Guide
Learn what makes a password strong, how hackers crack passwords, entropy explained, and best practices for creating and managing secure passwords.
UUID Generator Guide
What is a UUID, how every version works, UUID in databases and APIs, GUID vs UUID, and when to use which version.
How to Make a QR Code Free
The complete step-by-step guide to creating QR codes for websites, WiFi sharing, restaurant menus, business cards, UPI payments, and more — free, online, no signup.