Random Numbers in JavaScript

Master random number generation with Math.random() and the Web Crypto API for secure, unpredictable values.

What Is Math.random()?

The Math.random() function is a built-in JavaScript method that returns a pseudo-random floating-point number between 0 (inclusive) and 1 (exclusive). This means every call produces a number where 0 ≤ result < 1, with approximately uniform distribution across that range.

The term "pseudo-random" is important: Math.random() uses algorithms to produce sequences of numbers that appear random but are deterministic. The implementation selects the initial seed automatically and cannot be chosen or reset by you, meaning you cannot reproduce the same sequence on demand.

Math.random() is part of the Math object, a static namespace for mathematical constants and functions. You call it directly as Math.random() without creating an instance.

// Basic random number generation
const randomNumber = Math.random();
// Returns: 0.123456789 (any number from 0 to 0.999999999)

// Generate a random number between 0 and 10
const scaledRandom = Math.random() * 10;
// Returns: 0.0 to 9.999...

Behind the scenes, JavaScript engines implement Math.random() using pseudo-random number generator (PRNG) algorithms. While the specific algorithm varies between browsers and environments, they all produce numbers that pass statistical randomness tests while being computationally efficient. This makes it suitable for games, simulations, and UI effects, but not for security-sensitive operations.

Understanding Random Number Generation

Key concepts for effective use of random values

Pseudo-Random Numbers

Math.random() uses algorithms to generate sequences that appear random but are deterministic. Not suitable for security-critical applications.

Uniform Distribution

Values are distributed approximately evenly across the range, making Math.random() suitable for games, simulations, and UI effects.

No Seed Control

You cannot set or reset the random seed, so sequences cannot be reproduced. This is by design for security and unpredictability.

Performance Optimized

The algorithm is designed for speed and statistical randomness rather than cryptographic unpredictability.

Basic Usage and Syntax

The syntax for Math.random() is intentionally simple since it takes no parameters:

// Basic random number generation
const randomNumber = Math.random();
// Returns: 0.123456789 (any number from 0 to 0.999999999)

Every call produces a new value in the range [0, 1). This base functionality transforms into useful patterns through mathematical operations.

Generating Random Integers

To convert floating-point results to integers, use Math.floor():

// Random integer from 0 to max-1
function getRandomInt(max) {
 return Math.floor(Math.random() * max);
}

console.log(getRandomInt(3)); // Returns: 0, 1, or 2
console.log(getRandomInt(10)); // Returns: 0 through 9

Random Numbers Within a Range

// Random number between min (inclusive) and max (exclusive)
function getRandomArbitrary(min, max) {
 return Math.random() * (max - min) + min;
}

console.log(getRandomArbitrary(1, 10)); // Returns: 1.0 to 9.999...

Inclusive and Exclusive Boundaries

// Random integer: min (inclusive) to max (exclusive)
function getRandomInt(min, max) {
 const minCeiled = Math.ceil(min);
 const maxFloored = Math.floor(max);
 return Math.floor(Math.random() * (maxFloored - minCeiled) + minCeiled);
}

// Random integer: both min and max inclusive
function getRandomIntInclusive(min, max) {
 const minCeiled = Math.ceil(min);
 const maxFloored = Math.floor(max);
 return Math.floor(Math.random() * (maxFloored - minCeiled + 1) + minCeiled);
}

console.log(getRandomInt(1, 6)); // Returns: 1, 2, 3, 4, or 5
console.log(getRandomIntInclusive(1, 6)); // Returns: 1, 2, 3, 4, 5, or 6

Why Not Use Math.round()?

Using Math.round() produces a non-uniform distribution. Values at boundaries have lower probability because it rounds to the nearest integer rather than always down. This introduces bias in games or lottery systems where fairness matters.

Common Use Cases

Random numbers appear throughout web development in countless practical applications.

Games and Interactive Elements

Games use random numbers for dice rolls, card shuffling, enemy spawns, procedural generation, and loot drops:

function rollDice() {
 return Math.floor(Math.random() * 6) + 1;
}

console.log(`You rolled a ${rollDice()}!`);

UI Effects and Visual Variations

Random values create engaging, less predictable interfaces. When combined with CSS transforms, you can create dynamic visual effects that capture user attention:

function getRandomColor() {
 const hue = Math.floor(Math.random() * 360);
 return `hsl(${hue}, 70%, 50%)`;
}

document.body.style.backgroundColor = getRandomColor();

Shuffling Arrays (Fisher-Yates)

The Fisher-Yates shuffle algorithm creates unbiased permutations of arrays using random numbers:

function shuffleArray(array) {
 for (let i = array.length - 1; i > 0; i--) {
 const j = Math.floor(Math.random() * (i + 1));
 [array[i], array[j]] = [array[j], array[i]];
 }
 return array;
}

const cards = ['A', 'K', 'Q', 'J', '10'];
console.log(shuffleArray(cards));

Random Sampling and Selection

function getRandomItem(array) {
 return array[Math.floor(Math.random() * array.length)];
}

const quotes = [
 "The only way to do great work is to love what you do.",
 "Stay hungry, stay foolish.",
 "Think different."
];

console.log(getRandomItem(quotes));

Math.random() Is NOT Cryptographically Secure

Never use Math.random() for authentication tokens, password reset codes, API keys, or cryptographic nonces. The pseudo-random number generator it uses is designed for performance, not unpredictability. Use Crypto.getRandomValues() instead for security-sensitive applications.

Cryptographically Secure: Crypto.getRandomValues()

The Crypto.getRandomValues() method generates cryptographically strong random values for security-sensitive operations. Unlike Math.random(), it uses entropy from the operating system's random number generator to produce unpredictable values.

// Generate a secure random integer
const array = new Uint32Array(1);
crypto.getRandomValues(array);
const secureRandom = array[0];

console.log(`Secure random: ${secureRandom}`);

Supported Typed Arrays

const byteArray = new Uint8Array(8);
crypto.getRandomValues(byteArray);

const shortArray = new Uint16Array(4);
crypto.getRandomValues(shortArray);

const intArray = new Uint32Array(2);
crypto.getRandomValues(intArray);

Constraints

Maximum size: 65,536 bytes (64KB) per call
Typed arrays only: Works with Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Uint16Array, Int32Array, Uint32Array, BigInt64Array, and BigUint64Array
In-place modification: Array is modified and returned, not copied
Browser support: All modern browsers since 2015

When to Use Each Method

Math.random()

Games, UI effects, non-critical randomization

getRandomValues()

Auth tokens, password resets, API keys

Performance

Negligible difference between both methods

Security First

When in doubt, use getRandomValues()

Practical Secure Random Applications

// Generate a secure session ID
function generateSecureId(length) {
 const bytes = new Uint8Array(length);
 crypto.getRandomValues(bytes);
 const hex = Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
 return hex;
}

console.log(generateSecureId(16)); // 32-character hex string

// Generate a secure verification code
function generateVerificationCode() {
 const codes = new Uint32Array(1);
 crypto.getRandomValues(codes);
 return String(codes[0] % 1000000).padStart(6, '0');
}

console.log(generateVerificationCode()); // "042187" format

Decision Guide: Which Method Should You Use?

Use Math.random() when:

Building games or entertainment features
Creating UI effects and animations
Implementing non-critical randomization
Conducting statistical sampling (non-security contexts)
Any scenario where predictability wouldn't create a vulnerability

Use Crypto.getRandomValues() when:

Generating authentication or session tokens
Creating password reset or email verification codes
Building API keys or access tokens
Implementing cryptographic nonces
Handling any security-critical randomization

Rule of thumb: When in doubt about security implications, err on the side of using getRandomValues(). The performance difference is negligible for most applications.

Best Practices and Recommendations

Common Pitfalls to Avoid

Off-by-one errors: Remember Math.random() returns [0, 1), so multiply by (max - min) not max
Boundary confusion: Decide inclusive vs exclusive, adjust formulas accordingly
Using Math.round(): Creates uneven distributions--always use Math.floor() for random integers
Security oversights: Never use Math.random() for security-sensitive values
Assuming true randomness: Both methods use algorithmic generation, just with different security properties

Quick Reference: Choosing the Right Tool

Scenario	Method	Example
Dice roll, game loot	Math.random()	`Math.floor(Math.random() * 6) + 1`
Shuffle playlist	Math.random()	Fisher-Yates shuffle
Random UI color	Math.random()	Random HSL hue
Session ID token	getRandomValues()	Cryptographically secure
Password reset code	getRandomValues()	6-digit verification
API key generation	getRandomValues()	Random bytes converted to hex

Related Resources

JavaScript Fundamentals -- Core concepts for web developers
Web Security Best Practices -- Protecting your applications
CSS Layout Techniques -- Building responsive interfaces

For secure web application development, our team can help you implement proper random number generation and other JavaScript best practices. Contact us for a free consultation on your project's security requirements.

Frequently Asked Questions

What is the difference between Math.random() and Crypto.getRandomValues()?

Math.random() generates pseudo-random numbers for general use, while Crypto.getRandomValues() provides cryptographically secure values using OS entropy. Use getRandomValues() for any security-sensitive application.

Can I reproduce the same random sequence in JavaScript?

No. Neither Math.random() nor getRandomValues() allow you to set or reset the seed. If you need reproducible randomness, you'll need a custom PRNG implementation.

What is the range of Math.random()?

Math.random() returns a number greater than or equal to 0 and less than 1. So the range is [0, 1) or 0 ≤ n < 1.

Why shouldn't I use Math.round() with Math.random()?

Math.round() creates a non-uniform distribution where boundary values have lower probability. For fair random selection, always use Math.floor() with Math.random().

What typed arrays can I use with getRandomValues()?

Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Uint16Array, Int32Array, Uint32Array, BigInt64Array, and BigUint64Array. Maximum 64KB per call.

Need Help with Secure Web Development?

Our team can help you implement secure random number generation and other JavaScript best practices for your applications.

Sources

MDN Web Docs: Math.random() -- Official JavaScript reference with complete syntax and examples
MDN Web Docs: Crypto.getRandomValues() -- Web Crypto API documentation for secure random generation
W3Schools: JavaScript Random -- Practical examples and interactive tutorials