# How to replace Math.random with crypto in JavaScript

JavaScript has a method for generating random numbers from 0 to less than 1: `Math.random()`

. If you’ve ever been working on an app that selects a random item from a list, chances are that you’ve done something like this:

`const randomItem = list[`

Math.floor(Math.random() * list.length)

]

This will probably work for 99% of the use cases of a random number. However, numbers generated from `Math.random`

are **not** cryptographically secure. That means that the “random” values are guessable by a computer and therefore not suitable for use in cryptography.

Thankfully, we have other methods of generating random numbers in the browser: `crypto`

. This global object has a `getRandomValues`

method that we can use to recreate the functionality above. The method needs to be called with an typed array, so we’ll create one with the `Uint8Array`

constructor with a length of 1:

`const typedArray = new Uint8Array(1)`

Now we pass this to `getRandomValues`

and select the first (and only) item from the returned array.

`const typedArray = new Uint8Array(1)`

const randomValue = crypto.getRandomValues(typedArray)[0]

// E.g. 122

Since we used an `Uint8Array`

, all of the numbers generated will from 0 to 255. To convert that into the same float returned from `Math.random`

, we need to divide the value by the total number of possible numbers: 256 or 2^{8}.

`const typedArray = new Uint8Array(1)`

const randomValue = crypto.getRandomValues(typedArray)[0]

const randomFloat = randomValue / Math.pow(2, 8)

// E.g. 0.4765625

With these steps in place, we can create a function that is a drop-in replacement for `Math.random`

called `cryptoRandom`

.

`function cryptoRandom() {`

const typedArray = new Uint8Array(1)

const randomValue = crypto.getRandomValues(typedArray)[0]

const randomFloat = randomValue / Math.pow(2, 8)

return randomFloat

}

A few things to note:

**You’ll (probably) never need this**. Reach for`Math.random`

unless you have a very specific reason for cryptographic security.**The floats from this method are shorter**.`Math.random`

pretty consistently returns floats that are 10+ decimal places long. If you are depending on a long tail of numbers, then consider switching to`Uint32Array`

and dividing by`Math.pow(2, 32)`

.**I’m not a security expert**. All of the information in this article was from a quick Google search; make sure to consult people who know what they’re talking about before copying and pasting code from a random website.

I hope that helps and as always: let me know if you have any corrections to the article.

Happy randomizing!