If you've ever called Math.random() in JavaScript, you've used a random number generator. And if you've ever used it to pick a raffle winner, assign teams, or choose a giveaway recipient, you've used the wrong one.
That's not a knock on Math.random(). It does exactly what it's designed to do: produce a sequence of numbers that look random and are statistically well-distributed enough for simulations, animations, and games where the stakes are low. Under the hood, though, it's entirely deterministic. It starts with a seed value and runs it through an algorithm that produces the next number in a predictable sequence. If you know the seed and the algorithm, you can reproduce every "random" number it will ever generate. Cryptographers call this a pseudorandom number generator, or PRNG, and the distinction between pseudo and true randomness turns out to matter quite a bit.
True randomness — or as close as software can get to it — comes from what's called a cryptographically secure pseudorandom number generator (CSPRNG). In the browser, this is exposed through the Web Crypto API via crypto.getRandomValues(). The difference is that a CSPRNG draws entropy from unpredictable physical sources: mouse movements, keyboard timing, disk seek times, electrical noise in the hardware, and other signals that are practically impossible to observe or reproduce from the outside. The output is still technically algorithmic, but the inputs are so chaotic that predicting the next value is computationally infeasible even for an attacker who knows the algorithm.
Why does this matter for something as simple as picking a name from a list? Because fairness depends on unpredictability. If a tool uses Math.random() and someone understands how the browser seeds its PRNG (which varies by engine but is often based on the current timestamp), they could theoretically predict or influence the result. In practice, most people won't do this, but the point is that the guarantee of fairness breaks down. A CSPRNG closes that gap. When Quick Pick selects a name or spins a wheel, the result is backed by the same class of randomness that protects banking transactions and encrypted communications. That's not overkill — it's the baseline for any tool that claims to be fair.
There's a philosophical layer here too. Humans are notoriously bad at generating or recognizing randomness. We see patterns in noise, avoid repeating recent results (the gambler's fallacy), and tend to distribute our "random" choices too evenly. Ask someone to write down a random sequence of coin flips and they'll almost never produce the long streaks of heads or tails that genuine randomness regularly does. This is why letting software handle randomization isn't just convenient — it's more honest. A well-built random tool doesn't have biases, doesn't have favorites, and doesn't unconsciously avoid the kid who got picked yesterday.
The next time you use a random number generator, it's worth asking what's happening behind the interface. The difference between a PRNG and a CSPRNG is invisible to the user, but it's the difference between a tool that seems fair and one that actually is.