I used to think I was pretty clever. When I needed a JWT secret key, I'd just click random key on my keyboard for a few seconds and call it random. Different keys every time, right? Felt good. Felt secure.
But no I was Wrong.
Turns out that humans are absolutely terrible at being random. Like, absolutely bad. And if you're building anything that needs real security, this is a problem you can't ignore.
The "Smash the Keyboard" Method Doesn't Actually Work
Here's what I used to do. I'd put my fingers on the home row and just go crazy for a second. Sound funny right.
asdfghjkl;asdfghjkl;asdfghjkl;
See the problem? My brain told my fingers to move in a pattern. Even when I tried to be random, I wasn't.
You know what else I noticed? I'd always start with letters near where my hands rested. I'd hit the same keys more often. I'd avoid numbers because they felt harder to reach.
Not exactly ideal.
Our Brain is a Pattern-Making Machine
We can't help it. Our brains are wired to find patterns and create shortcuts. It's how we function. But it's also why we suck at randomness.
When you try to pick a "random" password, you're probably doing one of these things:
- Alternating between letters and numbers in a predictable way
- Using keyboard patterns (like "qwerty" or "asdf")
- Picking keys that are physically close together
- Reusing character combinations you've used before
- Avoiding certain symbols because they're annoying to type
Hackers know this. They've studied how humans think. Their tools are built around common patterns that people use when they think they're being random.
So when you type p@ssw0rd123! thinking you're clever with those symbol substitutions? Yeah, that's in every password cracking dictionary.
Math.random() Isn't Actually Random Either
Okay, so humans are bad at this. What about code?
If you've ever written JavaScript, you've probably used Math.random(). Feels pretty random when you call it, right?
const secret = Math.random().toString(36).substring(7);
Plot twist: it's not actually random. It's **pseudo-random**.
What does that mean? It means the randomness is generated using a formula. If someone knows the formula and the starting point (called a "seed"), they can predict what comes next.
It's like shuffling a deck of cards the exact same way every time. Sure, the cards look mixed up. But if I know your shuffling technique, I know where every card ends up.
For most things, pseudo-random is fine. For generating lottery numbers or picking a random user to win a giveaway? Totally fine.
For security? Not even close.
Entropy: The Five-Year-Old Explanation
Here's the word you'll hear thrown around: **entropy**.
Sounds complicated. It's not.
Imagine you have a box of crayons. If you only have 4 crayons (red, blue, green, yellow), there aren't many ways to arrange them. I could probably guess your arrangement pretty quickly.
Now imagine you have 500 crayons in every color imaginable. Suddenly, there are so many possible arrangements that I'd never guess yours. That's high entropy.
In password terms:
- Low entropy: "password123" - super predictable, easy to guess
- High entropy: "X8$mQ2#vL9@pR5&nK7^wT4" - totally unpredictable, nearly impossible to guess
The more characters you use, the more types of characters (letters, numbers, symbols), and the more random the arrangement, the higher your entropy.
Makes sense, right?
Why Machines Are Better at This Than You
Here's the thing. Computers have access to truly random sources that humans don't.
Your computer can pull randomness from things like:
- Tiny electrical noise from your hardware
- Exact timing of your mouse movements
- Temperature fluctuations in your CPU
- Atmospheric noise from radio signals
These are genuinely unpredictable things. No patterns. No formulas. Just chaos.
That's what cryptographically secure random generators use. They tap into these sources to create keys that are actually, legitimately random.
Your keyboard-mashing? Not even in the same universe.
Just Use a Generator Already
Look, I get it. Typing your own password feels more secure somehow. Like you're in control.
But you're not. You're just creating a false sense of security while making your app vulnerable.
When I needed to generate JWT secret keys for a project, I found jwtsecretkeygenerator.com. It's just a simple tool that does the one thing it needs to do: generate cryptographically secure random keys.
Click a button, get a proper random key. That's it.
No subscriptions, no accounts, no nonsense. Just randomness done right.
How to Know if Your Key is Actually Random
Here's a quick test. Look at your JWT secret key. If you can:
- Remember it without trying
- See any words or word-like patterns
- Notice keyboard patterns (qwerty, asdf, etc.)
- Find repeated sequences
- Type it without looking
...it's not random enough.
A proper secret key should look like complete gibberish. Like someone spilled alphabet soup and cat-walked across a keyboard. If it looks like anything recognizable, regenerate it.
💡 Quick Test: Show your secret key to a coworker for 10 seconds, then hide it. If they can type even part of it from memory, it's not random enough.
What About Password Managers?
Password managers are great for personal passwords. They use good random generation and they remember everything for you.
But for JWT secret keys in your application code? Different situation.
You need that key in your environment variables or config files. You need to be able to copy and paste it. You don't need to memorize it or type it regularly.
So just generate it properly once, store it securely, and move on with your life.
The Math is Scary (But You Don't Need to Understand It)
Here's some perspective on how random is random enough.
A 256-bit random key has roughly 2^256 possible combinations. That's a number with 77 digits. For context:
- Number of atoms in the observable universe: ~10^80
- Number of possible 256-bit keys: ~10^77
They're in the same ballpark. That's how many possible keys exist.
Even with every computer on Earth guessing keys at full speed, it would take longer than the age of the universe to guess yours. That's assuming your key is actually random.
If your key is "password123"? Takes about 0.0001 seconds.
Stop Making Security Harder Than It Needs to Be
I spent way too long trying to be clever with my own random keys. I'd convince myself that my method was special or that I was adding an extra layer by doing it manually.
I wasn't. I was just being lazy and pretending it was a feature.
Security isn't about feeling in control. It's about using tools that work. Tools built by people who understand cryptography way better than I do.
Your job is to build your app. Let the random number generators handle the randomness.
The Reality Check You Need
If your JWT secret key is something you typed yourself, change it. Right now.
If you're using Math.random() to generate security tokens, stop. Use your language's cryptographic random functions instead.
If you're telling yourself "it's probably fine," it's not.
I've seen apps get compromised because someone used a predictable key. It's not theoretical. It happens. Don't be that developer.
What I Do Now
These days, when I need a secret key:
- I use a proper generator (like the one at jwtsecretkeygenerator.com)
- I make sure it's at least 256 bits
- I copy it straight into my .env file
- I never reuse keys between projects
- I rotate keys periodically in production
Takes 30 seconds. No thinking required. No false confidence in my keyboard-smashing abilities.
Just real randomness doing its job.
Your Brain is Amazing at Many Things
Don't get me wrong. Your brain is incredible. It can solve complex problems, learn new skills, and understand abstract concepts.
Being random just isn't one of its strengths.
And that's okay. That's what computers are for. Use them for what they're good at. Save your brain power for the actual hard problems in your code.