Seeding value in PHP

Question

I was going through this article https://www.ambionics.io/blog/php-mt-rand-prediction

which claims that if we use mt_rand(), we can get the seed value using two values instead of brute forcing.

In the article it says

The first step in generating random numbers using mt_rand() is to use a seed, an unsigned int, to generate a state array of 624 values. This is done by either calling mt_srand($seed) or automatically, by PHP, upon requesting the first random number. After this, each call to mt_rand() will take the next state value, scramble it, and return it to the user.

My question : Is the mt_rand() completely insecure or it is platform dependent as well? For example when I will do mt_rand(),the seeding state array of 624 values will be created in my computer is different. if Person B does mt_rand() with same seeding value the output state will be different. How come than we both get the same random number?

Answer 1

Seeding means providing the initial state. Every time you seed with the same number, you will get the same set of pseudo-random numbers, no matter what machine you run it on. You can think of it as performing a series of complex math operations on a given input number.

mt_rand() is a pseudo-random number generator. This means it doesn't generate truly random numbers; it only generates ones that look random. The process is completely reversible and reproducible. For this reason, it is not cryptographically secure.

If you want a cryptographically secure value use random_bytes() or the Random\Engine\Secure class.