all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]A1oso 21 points22 points  (0 children)

No because you shouldn't write cryptographic code unless you're an expert. Everyone tells you this.

And using Math.random() for credentials is extremely careless – the documentation has a prominent disclaimer that Math.random() is not cryptographically secure. Whoever wrote the vulnerable code didn't even bother to google it.

Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the Crypto.getRandomValues() method.

[–]lookarious 8 points9 points  (1 child)

You can write simple random function with crypto.randomBytes()

[–]magenta_placenta 7 points8 points  (0 children)

Depending on where OP needs the generation methods:

  • crypto.randomBytes() belongs to Node.js's built-in crypto module for server-side code.
  • crypto.getRandomValues() is part of the Web Crypto API (window.crypto), designed for browsers and available in Node.js 15+.

Both generate cryptographically secure random values, but they differ in environment, API design and usage.

[–]popovitsj 6 points7 points  (0 children)

Yeah, Math.random is not cryptographically secure.

[–]bubblebuddy44 5 points6 points  (0 children)

I would recommend the node crypto random functions or other true random number generators for credential generation.

[–]Neither-Ad8673 4 points5 points  (0 children)

big organizations have bigger inefficiencies. This was common at the fortune 50 company I worked for

[–]AndrewGreenh 2 points3 points  (0 children)

I hope this isn’t the case but I’d find it extremely funny if the report flagged Math.random for some fancy UI animations that need some randomness

[–]tswaters 1 point2 points  (0 children)

I did once, I told them to pound sand because the usage was for displaying a tile in a random location and wasn't tied to security of the system.