---
title: Use CSPRNG For Security Purposes
impact: HIGH
impactDescription: prevents predictable random numbers
tags: crypto, random, entropy, csprng, security, csharp
---

## Use CSPRNG For Security Purposes

`System.Random` is not cryptographically secure and should not be used for tokens, keys, or passwords.

**Incorrect (predictable):**

```csharp
var random = new Random();
var token = random.Next(100000, 999999); // Predictable!
```

**Correct (CSPRNG):**

```csharp
using System.Security.Cryptography;

// Generate secure bytes
var bytes = new byte[32];
RandomNumberGenerator.Fill(bytes);

// Or for integers
var secureInt = RandomNumberGenerator.GetInt32(100000, 999999);
```

**Tools:** Roslyn Analyzers (CA5394), SonarQube