Questions for you:
- When evaluating security systems, do you understand the difference between true randomness (physical unpredictability) and pseudorandomness (computational unpredictability), and when each is appropriate? If not, which is understandable, do you know who to ask for help?
- Looking at password policies requiring “random” passwords, do you recognise that human-generated “random” passwords unconsciously introduce patterns (avoiding repeated digits, preferring specific numbers) that dramatically reduce effective security?
- When assessing cryptographic systems, do you verify that random number generation is properly implemented with adequate entropy sources, or assume all “random” generation is equivalent?
- Looking at the encryption you use in your own life, for example just over a familiar instant messaging app, how often do you check that it works how you expect? Why?
Organisational applications:
Cryptographic PRNGs for speed and security: Most digital security uses pseudorandom number generators, not true randomness. PRNGs work like mathematical recipes: feed them a random seed, and they produce millions of statistically random numbers through entirely deterministic processes. But these processes can be particularly difficult to grasp, and can silently fall out of date. How does your organisation track what versions of encryption standards you’re using, and when they should be upgraded?
Seed security and entropy sources: The entire PRNG security depends on a truly random seed. If attackers guess or determine initial seed value, they can reproduce the entire sequence – catastrophic security failure. This is why PRNGs in security applications are seeded with entropy from True Random Number Generators (TRNGs), which can be derived from mouse movements, keyboard timing, thermal noise, atmospheric interference, or quantum-mechanical processes. Never allow human-generated seeds (people unconsciously introduce patterns). Verify that security-critical systems use adequate entropy sources, regularly reseed PRNGs, and combine multiple entropy sources for defence-in-depth.
Human randomness failure and password security: When people try creating random passwords or PINs, they unconsciously introduce patterns – avoiding repeated digits, preferring specific numbers (often birthdays), or following predictable substitution rules (replacing ‘E’ with ‘3’). These human biases dramatically reduce effective security, turning a lock with trillions of combinations into one with just thousands. Attackers exploit these patterns through dictionary attacks, prioritising common human shortcuts or biases. Organisational password policies must require computer-generated random passwords, use password managers to eliminate human bias, and educate users that “memorable” passwords can be predictably weak.
Reproducibility and debugging advantages: PRNGs offer a critical advantage over true randomness: reproducibility. Given the same seed, PRNG produces the same sequence every time. This enables debugging security systems (reproducing the exact conditions that triggered failures), testing cryptographic protocols (verifying that implementations match specifications), and creating verifiable audit trails (proving that cryptographic operations were performed correctly). True randomness lacks this property – you can never reproduce the exact sequence. For many security applications, deterministic unpredictability is more valuable than non-deterministic randomness.
Further reading
Pseudorandom number generation and cryptographic security
Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno – practical cryptography guide including detailed coverage of PRNG design, implementation, and security properties showing why pseudorandomness suffices for most security applications.
The Code Book by Simon Singh – accessible history of cryptography explaining how random key generation became foundation of modern encryption and why computational unpredictability protects digital communications.
Applied Cryptography by Bruce Schneier – comprehensive cryptography reference including extensive discussion of random number generation, PRNG algorithms, and seed security requirements.
Entropy, true randomness, and computational complexity
Randomness by Deborah J. Bennett – examines nature of randomness including discussion of deterministic systems producing unpredictable outputs, showing philosophical and practical differences between true and pseudo randomness.
The Drunkard’s Walk by Leonard Mlodinow – whilst primarily about probability, discusses randomness generation and why computational unpredictability can be more useful than physical randomness for practical applications.
Secrets and Lies by Bruce Schneier – security expert’s examination of digital security showing critical importance of proper random number generation and common failures when entropy sources are inadequate.
Security failures and human randomness bias
Fatal System Error by Joseph Menn – cybercrime investigation including examples of security breaches exploiting predictable “random” number generation and weak entropy sources.
Security Engineering by Ross Anderson – comprehensive security engineering textbook including case studies of security failures from inadequate random number generation and human bias in password selection (available free online).
Click Here to Kill Everybody by Bruce Schneier – discusses modern security challenges including why human intuition fails at creating randomness and consequences of weak random number generation in IoT devices.
About the image
A piece of code that generates pseudo random numbers.
Illustration by Matt Ballantine, 2026
Random the Book 