Randomness is a hard problem for computers. For this reason most functions that generate randomness are not considered . That means that it is possible that an attacker can take a good guess at what number a non-secure randomness generator generated. cryptographically secure How can randomness be attacked? Many non-secure randomness (or entropy) generators would do something similar to the following: { hashedTime = sha256(timestamp) hashedTime % maxNumber } ( ) function getRandom timestamp, maxNumber // Take the deterministic hash of the timestamp const // Reduce the hash to within the range [0, maxNumber) return This function (while ignoring some implementation details of modulus math by such a large number) will return random numbers that are based on the timestamp input, which is called the . If I pass in many different timestamps, the various outputs would . This is an example of a weak number generator. seed appear random pseudo-random A weak pseudo-random number generator works perfectly fine if one is trying to: Create sample data for an application Write a video game engine etc ... However, weak pseudo-randomness can be if one is trying to: catastrophically dangerous Generate Bitcoin keys Generate passwords or salts etc ... Strong Psuedo-Randomness (Cryptographically Secure) A software-only system like Qvault can at best generate strong pseudo-random data because we are working on deterministic systems. Without an outside source of entropy (like someone rolling dice and telling the computer each output), we are at the mercy of pseudo-randomness. crypto.randomBytes() Node's built-in crypto.randomBytes is a cryptographically secure random number generator that is based on . Depending on the operating system of the user, randomBytes will use openssl (unix) /dev/urandom or (windows) CryptoGenRandom While still pseudo-random sources, the important thing is that they are not guessable by an attacker. In other words, after using crypto.randomBytes() to generate a , an attacker can't recreate that code. recovery code in Qvault What do I do? In short, whenever you need raw random bytes. If you need a random number within a range, for example, a random number between 0-9, then use a non-biased function that uses as the source of entropy. For example: use crypto.randomBytes() crypto.randomBytes() node-random-number-csprng Good luck! Also, always check the source! By Lane Wagner Follow us on medium! https://medium.com/qvault Follow on Twitter @wagslane Previously published at https://qvault.io/2019/07/03/randomness-and-entropy-in-node-and-electron/