Does the randomatic npm module always create cryptographically secure strings?

Question

I am using this module to generate cryptographically secure verification codes to sign up users on my website. The documentation (https://www.npmjs.com/package/randomatic) says the following about generating cryptographically secure strings:

randomize(pattern, length, options);

randomize.isCrypto;

randomize.isCrypto will be true when a cryptographically secure function is being used to generate random numbers. The value will be false when the function in use is Math.random.

Is there some way for me to ensure that randomize.isCrypto is always true? I am asking because the documentation does not say anything about explictly setting it as true?

Answer 1

Viewing the source of that package, we can see that the randomness is actually provided by a separate package called math-random.

That package contains two implementations:

• A browser implementation which tries to find a crypto library and falls back to math.random if it cannot.
• A node.js implementation which always uses the built-in node.js crypto module. If that isn't available, the module will simply error when the require line is executed.

So, if you're using it in a node.js context, you can be reasonably sure that the randomness is always from a cryptographic-strength source. You can also be confident that if a strong source of randomness is available, it will be used.

As such, all you can meaningfully do is error if there is no strong source of randomness available - you can't create one if it doesn't exist. So before using the function, check the isCrypto export on the randomatic module, and throw an error if it is not true:

var randomize = require('randomatic');
if ( ! randomize.isCrypto ) {
    throw "Refusing to generate password with non-cryptographic randomness source.";
}