A PRNG is initialized from a predictable seed, e.g. using process ID or system time.
Time of Introduction
Architecture and Design
Technical Impact: Varies by context
Both of these examples use a statistical PRNG seeded with the
current value of the system clock to generate a random number:
Random random = new Random(System.currentTimeMillis());
int accountID = random.nextInt();
Example Languages: C and C++
int randNum = rand();
An attacker can easily predict the seed used by these PRNGs, and so also predict the stream of random numbers generated. Note these examples also exhibit CWE-338 (Use of Cryptographically Weak PRNG).
Use non-predictable inputs for seed generation.
Phases: Architecture and Design; Requirements
Strategy: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [R.337.1] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Use a PRNG that periodically re-seeds itself using input from
high-quality sources, such as hardware devices with high entropy.
However, do not re-seed too frequently, or else the entropy source might