Has Anyone Faced Issues with Math.random() in Security Audits? How Did You Handle It?

I recommend using Node's crypto functions or other true random number generators for creating credentials. They are way better suited for this task!

Larger organizations can really hamper efficiency. This was a common issue at the Fortune 50 company I worked for; processes were often overly complicated.

I once dealt with a similar audit. I just told them to chill because it was only for displaying tiles randomly on screen and had nothing to do with system security.

You can easily create a secure random number generator using crypto.randomBytes(). Just keep in mind:
- crypto.randomBytes() is meant for server-side code in Node.js.
- If you're working with browsers, use crypto.getRandomValues(), which is also available in Node.js 15 and up. Both work great but have different environments and use cases.

Yep, Math.random() is definitely not reliable for security. I've had to advise against its use in similar situations.

You really shouldn't be using Math.random() for cryptographic purposes! It's not secure at all, as noted in the documentation. For anything security-related, switch to the Web Crypto API and use Crypto.getRandomValues() instead. That's the way to go if you want to ensure proper security!

I hope they didn't flag Math.random() just for some UI animations! That would be a bit excessive, don’t you think?