Your phone just generated a random number.
Except it didn’t.
Because computers can’t generate random numbers. They can only pretend to.
And that pretense? It’s holding together everything from your Netflix password to nuclear weapons launch codes.
The Paradox
Here’s the problem: computers are deterministic machines. Give them the same input, they’ll give you the same output. Every single time.
True randomness means unpredictability. It means that knowing everything about the past tells you nothing about the future.
Computers can’t do that. By design.
So how does your computer generate a “random” password? How does your weather app simulate chaotic atmospheric conditions? How do cryptographic systems create unbreakable keys?
They cheat. Elegantly.
What Computers Actually Do
When you ask a computer for a random number, it runs an algorithm called a Pseudo-Random Number Generator (PRNG).
“Pseudo” is doing a lot of work in that name.
A PRNG isn’t random. It’s deterministic chaos. It takes a starting value (called a seed) and applies a mathematical formula that produces a sequence of numbers that look random.
Key word: look.
If you know the seed and the algorithm, you can predict every “random” number the computer will generate. Perfectly. Forever.
The Seed: Where It All Begins
The seed is everything.
Same seed → same sequence of “random” numbers.
Different seed → completely different sequence.
So where does the seed come from?
Bad answer: The current time.
Many older systems used the system clock as a seed. Sounds reasonable, right? Time is always changing.
Except it’s not random. If I know what time you generated a “random” number, I can reproduce your entire sequence.
Casinos learned this the hard way. In the 1990s, a group of hackers figured out that some slot machines used the current time as their seed. They could predict jackpot timing with scary accuracy.
Better answer: Environmental noise.
Modern systems use things like:
- Mouse movements
- Keyboard timing intervals
- Hard drive read/write latency
- Temperature sensor fluctuations
- Electrical noise from the power supply
These sources aren’t truly random, but they’re unpredictable enough that reverse-engineering the seed becomes computationally infeasible.
Best answer: Hardware random number generators.
Some systems have dedicated hardware that measures quantum phenomena (radioactive decay, photon behavior) or chaotic physical processes. These produce true randomness.
But they’re expensive and slow. Most systems stick with pseudo-randomness.
The Algorithm: Linear Congruential Generator
The simplest PRNG is called a Linear Congruential Generator (LCG). Here’s the entire algorithm:
X_(n+1) = (a × X_n + c) mod m
Where:
- X_n is the current number
- X_(n+1) is the next number
- a, c, and m are carefully chosen constants
- X_0 is the seed
That’s it. Three numbers and one equation.
Let’s see it in action. Say we use:
- a = 5
- c = 3
- m = 16
- Seed = 7
The sequence goes:
7 → (5×7 + 3) mod 16 = 38 mod 16 = 6
6 → (5×6 + 3) mod 16 = 33 mod 16 = 1
1 → (5×1 + 3) mod 16 = 8 mod 16 = 8
8 → (5×8 + 3) mod 16 = 43 mod 16 = 11
And so on.
Look at that sequence: 7, 6, 1, 8, 11…
Does it look random? Kind of.
Is it random? Not even close.
Because here’s the thing: since we’re using modulo 16, there are only 16 possible outputs. After at most 16 steps, the sequence must repeat.
That’s the fundamental limitation of pseudo-randomness. You’re cycling through a finite set of numbers. Eventually, you come back to where you started.
Breaking Pseudo-Random Number Generators
The LCG I showed you is terrible. Don’t use it.
But even sophisticated PRNGs have weaknesses.
In 2008, researchers at a security conference demonstrated an attack on the Debian Linux random number generator. Due to a coding error, the generator only had 32,768 possible seed values.
That sounds like a lot. It’s not.
With a decent computer, you can test all 32,768 seeds in seconds. That means every “secure” SSH key generated on affected Debian systems could be cracked instantly.
Millions of servers were vulnerable. All because of a single line of buggy code in a PRNG.
Modern Solutions: Cryptographically Secure PRNGs
Modern systems use something called a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).
These are PRNGs designed so that even if you know part of the output sequence, you can’t predict future outputs without solving problems that are computationally infeasible (like factoring massive prime numbers).
Examples include:
- Fortuna
- Yarrow
- ChaCha20
Your browser uses one of these every time you visit an HTTPS website. Your phone uses one when generating encryption keys. Nuclear missile systems use them for launch authorization codes.
The math gets complicated, but the idea is simple: make prediction harder than brute force.
The Philosophical Problem
Here’s what keeps me up at night: true randomness might not exist.
Quantum mechanics suggests the universe is fundamentally probabilistic. Radioactive decay, for instance, appears genuinely random. We can’t predict when an individual atom will decay.
But is that true randomness? Or just determinism we haven’t figured out yet?
Einstein famously rejected quantum randomness, saying “God does not play dice with the universe.”
Bohr replied, “Stop telling God what to do.”
We still don’t know who’s right.
And here’s the kicker: for practical purposes, it doesn’t matter.
Pseudo-randomness is good enough. As long as the pattern is too complex for anyone to exploit, it might as well be random.
So What’s the Answer?
Computers don’t generate random numbers. They generate deterministic sequences that are indistinguishable from randomness.
It’s like the difference between a perfectly chaotic system and a truly random one. Mathematically distinct. Practically identical.
Your computer takes a seed, runs it through an algorithm, and produces numbers that pass every statistical test for randomness.
But somewhere, buried in that sequence, is a pattern. A cycle. A deterministic structure.
We just make sure that pattern is so complex, so deeply hidden, that finding it is harder than guessing.
The Takeaway:
Next time your password manager generates a “random” password, remember: it’s not random. It’s just really, really good at pretending.
And in a deterministic universe, maybe that’s the best we can hope for.