Random java.util.Random 其實一點也不 Random, 因為屬於一種線性分佈, 線性不比離散, 所以就是有公式可以預測啦~ 大神的論文在 這裡 https://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom The standard Oracle JDK 7 implementation uses what's called a Linear Congruential Generator to produce random values in java.util.Random. Predictability of Linear Congruential Generators Hugo Krawczyk wrote a pretty good paper about how these LCGs can be predicted ("How to predict congruential generators"). If you're lucky and interested, you may still find a free, downloadable version of it on the web. And there's plenty more research that clearly shows that you should never use an LCG for security-critical purposes. This also means that your random numbers are predictable right now, something you don't want for session IDs and the like. 隨機數安全議題 http://wps2015.org/drops/drops/%E8%81%8A%E4%B8%80%E8%81%8A%E9%9A%8F%E6%9C%BA%E6%95%B0%E5%AE%89%E5%85%A8.html Secu...