When to use crypto/rand and where to use math/rand?
the next value of PI can also be used....
Photo by Dan Cristian Pădureț on Unsplash
In coding, randomness is not as random as you think. There are two distinct paths to generating randomness: math/rand
and crypto/rand
. Both have their merits, but they serve very different purposes.
math/rand
If math/rand
were a person, it would be that friend who always suggests flipping a coin when no one can decide where to eat. It's fast, reliable for non-critical decisions, but you wouldn’t want to trust it with your credit card number. It’s pseudo-random, meaning that it generates sequences of numbers that only look random but are completely predictable if you know the starting seed. They are more like an hash if you have ever used those, but still random enough.
package main
import (
"fmt"
"math/rand"
"time"
)
func main() {
rand.Seed(time.Now().UnixNano()) // seed it to get different results
fmt.Println(rand.Intn(100)) // prints a random number between 0 and 99
}
Here, math/rand
gives you a number between 0 and 99. It’s great for simple tasks like shuffling a playlist or deciding who gets the last slice of pizza. But under the hood, it’s deterministic. Give it the same seed, and it’ll spit out the same sequence every time. So, if you’re thinking about using it for anything security-related…don’t.
crypto/rand
Enter crypto/rand
, the guy in a black suit who checks IDs at the door and asks if you have clearance. crypto/rand
taps into your system’s entropy sources, which means it gathers real-world randomness—things like mouse movements or hard drive noise—to generate numbers that are cryptographically secure.
package main
import (
"crypto/rand"
"fmt"
"math/big"
)
func main() {
n, err := rand.Int(rand.Reader, big.NewInt(100))
if err != nil {
fmt.Println("Error:", err)
return
}
fmt.Println(n) // prints a cryptographically secure random number between 0 and 99
}
In this example, crypto/rand
takes its time to produce a truly random number. It’s not as fast as math/rand
, but if you need unpredictability that a hacker can’t reverse-engineer, this is your go-to. It’s perfect for generating passwords, tokens, or anything where security matters.
When to Use Which?
Use math/rand
when:
You need random numbers for non-security purposes (e.g., simulations, random animations).
Speed is more important than security.
Predictability isn’t a concern.
Use crypto/rand
when:
Security is crucial (e.g., generating encryption keys, passwords).
You need true randomness that can’t be guessed or predicted.
You can afford a little extra time for the sake of security.
In the end, if you’re thinking of letting math/rand
handle your passwords… just don’t.