The major sites don't do this. We know because many people out there collect lit...

sillysaurus2 · on Feb 10, 2014

The random number generators used by these sites are hardware systems that use micro fluctuations in ambient temperature (for example) as a source of entropy and they are very careful to use enough bits of entropy for every card shuffled.

It's amusing to realize that they could just read from dev/urandom with zero risk. They're probably not running Linux, but still.

So, for anyone who's wondering if you need this, or if this adds any extra security: probably not. There's no reason not to use the extremely well-tested and well-understood /dev/urandom.

ivanca · on Feb 10, 2014

But their devs can't charge as much if they say "I implemented the random number generator, is one line of bash code" rather than "I created a thermal system that is connected to our server where we will use its data as seeds to generate cryptographically random numbers".

Capitalism, we all play it ;)

MertsA · on Feb 10, 2014

Actually for something cryptographic or sensitive in nature you would want to read from /dev/random. The "u" in urandom stands for unlimited, basically if the entropy pool runs dry, reads from /dev/urandom will still return data but that data doesn't necessarily have a significant amount of entropy in it. Reads from /dev/random however will block and wait for more entropy if the entropy pool runs dry.

tptacek · on Feb 10, 2014

No, this is an urban myth perpetuated by a broken man page. Cryptographic software should use urandom, not random.

sillysaurus2 · on Feb 10, 2014

tptacek has addressed this concern many times before: https://hn.algolia.com/?q=author:tptacek%20urandom#!/comment...

The summary is that it's a myth.

TwoBit · on Feb 10, 2014

FWIW, Windows has an equivalent of /dev/urandom. http://msdn.microsoft.com/en-us/library/windows/desktop/aa37...

nitrogen · on Feb 10, 2014

Is CryptGenRandom equally secure as /dev/urandom, or are there ways to use it wrong?