There are two concepts in software engineering related to this – “pseudorandom” and “true random”.

Pseudorandom numbers are always generated from a single deterministic “seed” (usually the current system time or a variant of it). Say you start with 5, and your algorithm is “multiply the last generated number by 2 and add 7”. So you will generate 5, 17, 41, 89, 185… These numbers at a glance may *seem* random, but if you know the seed value and the exact algorithm used you can always predict them. So this is exactly like what you described.

The thing is, most applications work just fine with such “random” numbers. Think shuffling songs on your playlist or playing a game. Unless the task involves security or something equally critical, it’s perfectly fine for such numbers to be deterministic to some degree.

On the other hand there is often a need for “true” random numbers, ones that cannot be predicted no matter what. In these cases computers use external sources of randomness. A combination of stuff like – you moving your mouse around the screen, packets received over the network, CPU temperature, Disk I/O, microphone noise, camera input. Sometimes computers can even have specialized hardware to generate randomness, e.g. by measuring radioactive decay.

All modern computers have hardware in the processor that makes random numbers. It’s usually based on quantum effects – small changes of current across a piece of wire. 

Then they use that random data to mix it up with all the things others have mentioned. When done right it’s truly random and secure. 

And some more expansions is required on:
> Random is that which is unpredictable.

You can shuffle a deck of cards and then give it several more people to shuffle. It was a process that and if you’ve recorded it carefully you could reconstruct it. But for someone you give that deck of cards the order is unpredictable. Is it random according to your definition?

There’s a few different things going on.

First off, you do actually have true randomness. It was historically a problem, but modern CPUs do, in fact, have [true random number generators](https://en.wikipedia.org/wiki/RDRAND). One of the common sources of entropy (“randomness”) is thermal noise: CPU temperature will easly fluctuate by a degree or two within the span of a second, so the value of, say, the third decimal place in that number can be _anything_. It’s effectively true randomness. You can then use some cryptographic magic to “stretch” that little slice of randomness into a larger chunk of random numbers. That said, those things are, by their very nature, pretty damn opaque and it’s borderline impossible to verify the truth of their claims of randomness, so e.g. Linux has historically not really trusted RDRAND as a source of entropy.

Then you have pseudo-random number generators (PRNGs). They’re basically complex mathematical formulas that produce random-seeming numbers. Keyword is “seeming”: From a given starting value, they will always produce the same sequence of numbers (hence _pseudo_-random). If you’re not doing something security critical (say, if you’re writing a simulation of some sort), you have PRNGs optimised for speed. If you’re trying to do security related stuff (generating passwords is the obvious one, but random numbers are _very_ important in security), then you have cryptographically-secure PRNGs (CPRNGs). They’re slower, but produce results that are, statistically, more or less indistinguishable from true randomness.

In a deterministic universe, nothing is unpredictable, but some events are damn too complicated to be, in practice, predicted.

There is noting essentially unpredictable when you toss a coin, or roll a dice.

A random generator outputs a seemingly random, but essentially fixed, stream of numbers. The catch is, you can start in this stream from wherever you want. this starting point is called ‘the seed’

If you calculate this seed by mixing together the current temperature of the cpu, the content of a couple memory cells, the amount of vertical pixels movements of your mouse for the last 5 minutes, the sum of the values of every third byte that passed through you network interface, multiplied by the value of every forth byte read by your disk interface, you end up with a pretty impossible to guess seed, hence a pretty random stream of numbers spat out of you random generator.

If you have enough information about the starting conditions and the process involved, anything is predictable. A coin toss isn’t random if the person tossing the coin has practiced flipping it so it lands on one side or another. For practical purposes, randomness isn’t so much about an unpredictable outcome as it is about distributing information in such a way that no one has access to what would be needed to predict the outcome. To put it another way, it’s about distributing ignorance of the starting conditions and the process.

That’s why things like the tick count since boot are useful in pseudorandom generators: it’s not that the condition can’t be known, it’s that an adversary won’t have enough information to know it.

A computer is indeed a very deterministic device and generating something “random” on it is quite a challenge, but it can be done.
You need 2 things:

1.
A pseudo-random number generator (PRNG).

This is an algoritm that generates a result (the output) based on an input (the seed). As the name implies, it is not really random and the same input will always result in the same output, however, one of the properties it has is that it is a one-way function. Based on the output, it is impossible to determine the input, and a slight change in intput will drastically alter the output. (It is comparable with a hash function.)

2.
A random source for your input seed

You need randomness to create a random number. Sounds weird, but not all ramdomness is alike. This source needs to fluctuate and it doesn’t matter if it is not completely random, as long as the fluctiations are unpredicable. In a computer this could be: CPU temperature, noise on the audio channel, pixel noise from a camera, bits of an unallocated memory location, etc…

If 2 is used as (part of) the seed for 1, then the output generated is random enough to be called random. This random output is then converted to characters to create a password.

With the same seed, you will generate the same password, but the point is that this seed is unpredictable because of the slight pertubations and therefore it is very unlikely to be generated again.

My understanding is any computer generated randomness isn’t truly random, it just has the appearance of being random. And is random for the purposes with which they are most often used.

Yes, computers can never be truly random. Instead, a computer usually uses an algorithm that is given a starting number and then creates numbers that appear random. Since the same starting number will always create the same “random” numbers, your computer will usually use combine a bunch of numbers such as the current time to have a different starting number each time

The type of randomness you’re referring to is called ‘pseudo-randomness’. It’s not really random because there’s a deterministic process to generate it, but good pseudo random number generators (PRNGs) can produce very long sequences of numbers that are statistically indistinguishable from true randomness which is fine for the vast majority of use cases.

When you need true randomness you can sample an unpredictable physical system, for example you can measure thermal noise in an electronic circuit. CPUs have had these types of true random generators for a long time.

The downside of true RNGs is that they’re typically slow (compared to a PRNG).

The problem with using PRNGs for cryptography is that it’s possible to work out the internal state of the PRNG from a (typically) few samples and then predict all future numbers, with some PRNGs being easier to break than others.

The basic answer is that it isn’t. Computers are pseudo-random, they can create outputs which look random but actually aren’t.

For more cryptographically secure purposes, they can use certain sources of data like the micro movements of the mouse and the timing between keystrokes to derive extra randomness, but even this isn’t truly random.

Some companies use more extreme measures to get truly random data, like Cloudflare recording a wall full of lava lamps, or random.org uses atmospheric noise.