Here is the elaborated post regarding why use SecureRandom class instead Random class.
The purpose of these tokens is fairly sensitive – used for session id, password reset links etc. So they do need to be cryptographically random to avoid somebody guessing them or brute force them feasibly. The token is a “long” so it is 64 bits long.
For security purposes, it is very necessary that we use an API that helps us generate random numbers that are unique in nature and cannot be guessed easily. If the random numbers that we use in our application is can be guessed, it creates a loophole in the security of the application.
Java provides 2 classes for generating random numbers:
As mentioned in the Javadocs: “An instance of this class is used to generate a stream of pseudorandom numbers. The class uses a 48-bit seed, which is modified using a linear congruential formula” and it’s also mentioned in the Javadocs that “If two instances of Random are created with the same seed, and the same sequence of method calls is made for each, they will generate and return identical sequences of numbers”.By default, the seed for the Random algorithm is the system time in milliseconds, making the random numbers guessable.
The code currently uses the java.util.Random class to generate these tokens. The documentation (http://docs.oracle.com/javase/7/docs/api/java/util/Random.html) for java.util.Random clearly states that “Instances of java.util.Random are not cryptographically secure. Consider instead using SecureRandom to get a cryptographically secure pseudo-random number generator for use by security-sensitive applications.”
“This class provides a cryptographically strong pseudo-random number generator (PRNG)”, as mentioned in the Javadocs. Since the random numbers generated by this class are cryptographically secure, it makes the random numbers non guessable and random in true sense.
It is also important to consider, in which areas of the application we should use SecureRandom class, as the SecureRandom class lowers the performance of the application. But where the security of the application is in question, for example; generating the sessionIds, we must always use the SecureRandom class.
Eg : SecureRandom secureRandom = new SecureRandom();
Get glued to know more.
Have a nice day 🙂