---
title: Use Cryptographically Secure Pseudo-Random Number Generators (CSPRNG)
impact: HIGH
impactDescription: prevents predictable random values that can be exploited
tags: security, cryptography, random
---

## Use CSPRNG

For security-sensitive random values (tokens, salts, temporary passwords), use `SecureRandom` instead of the basic `rand` method.

**Incorrect (predictable random):**

```ruby
# rand is not cryptographically secure
temp_token = rand(100000..999999).to_s
```

**Correct (SecureRandom):**

```ruby
require 'securerandom'

# Use hex, base64 or uuid for unique tokens
temp_token = SecureRandom.hex(16)
session_token = SecureRandom.uuid
```

**Tools:** Brakeman, Manual Review
---