Browser Randomness
How browsers generate random values
Modern browsers provide two main APIs for generating random values:
Math.random()— fast but not cryptographically securecrypto.getRandomValues()— cryptographically secure random valuescrypto.randomUUID()— generates a UUID v4 using secure randomness
The Web Crypto API
The Web Crypto API (window.crypto) provides access to cryptographically strong random number generators built into the browser. These generators use entropy from the operating system — hardware noise, timing variations, and other unpredictable sources.
When you use crypto.getRandomValues(), you get values that are suitable for security-sensitive operations like generating passwords, tokens, and encryption keys.
Why Math.random is not suitable for secrets
Math.random() uses a pseudo-random number generator (PRNG). PRNGs are deterministic: given the same seed, they produce the same sequence. If an attacker can guess or observe the seed, they can predict all "random" values.
For non-security purposes (animations, games, shuffling a playlist), Math.random() is fine. For anything related to security — passwords, tokens, keys, secrets — always use the Web Crypto API.
RandKit does not send values to a server
All generation in RandKit happens entirely in your browser. No network requests are made during generation. You can verify this by opening your browser's DevTools Network tab — you will see no fetch or XHR requests when you click Generate.
RandKit does not store generated values in localStorage, sessionStorage, or cookies. Once you navigate away from the page, the values are gone.