Avoid pseudo-random numbers

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/no-pseudo-random

Language: C#

Severity: Notice

Category: Security

CWE: 338

Description

Avoid pseudo-random generator as they generate numbers that are easy to guess. Prefer more secure, cryptographic-friendly random generators.

Learn More

Non-Compliant Code Examples

class MyClass {
    public static void routine()
    {
        var random = new Random();
        var bytes = new byte[16];
        var randomizeTwice = true;
        var randomizeThrice = false;
        random.NextBytes(bytes);
        if (randomizeTwice) {
            random.NextBytes(bytes);
        }
        if (randomizeThrice) {
            new Random().NextBytes(bytes);
        }
    }
}

Compliant Code Examples

using System.Security.Cryptography;

class MyClass {
    public static void routine()
    {
        var random = RandomNumberGenerator.Create();
        byte[] randomData = new byte[4];
        randomGenerator.GetBytes(randomData);
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis