Why Math.random() Will Fail Your Next Security Audit

If you have ever written something like this in a production codebase: const secret = Math.random().toString(36).slice(2); You have shipped a credential that will fail a security audit. Not might fail. Will fail. Here is why that matters and what to do about it before your auditors find it first. With the renewed focus on Executive Order 14028 and software supply chain security, auditors are no longer just looking at what libraries you use. They are looking at how you use them to generate internal secrets. Credential generation is now explicitly in scope for supply chain security reviews in ways it was not three years ago. The problem with Math.random() Math.random() is not a cryptographic function. It was never designed to be. It generates pseudorandom numbers that are fast and statistically distributed enough for things like shuffling a playlist or generating a random color. It is completely wrong for generating secrets, API keys, passwords, or any credential that needs to be unpredi