<!DOCTYPE qhelp PUBLIC

"-//Semmle//qhelp//EN"

"qhelp.dtd">

<qhelp>

<overview>

<p>Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers

generated by it.</p>

</overview>

<recommendation>

<p>If the predictability of the pseudo-random number generator does not matter then consider using the faster

<code>Random</code> class from <code>java.util</code>. If it is important that the pseudo-random number

generator produces completely unpredictable values then either let the generator securely seed itself by not

specifying a seed or specify a randomly generated, unpredictable seed.</p>

</recommendation>

<example>

<p>In the first example shown here, a constant value is used as a seed. Depending on the implementation of <code>

SecureRandom</code>, this could lead to the same random number being generated each time the code is executed.</p>

<p>In the second example shown here, the system time is used as a seed. Depending on the implementation of <code>

SecureRandom</code>, if an attacker knows what time the code was run, they could predict the generated random

number.</p>

<p>In the third example shown here, the random number generator is allowed to generate its own seed, which it

will do in a secure way.</p>

<sample src="PredictableSeed.java" />

</example>

<references>

<!-- LocalWords: CWE

-->

</references>

</qhelp>