diff --git a/httpsso/handler.go b/httpsso/handler.go
index f2a8123fb8aa44ad69ef637364d7ef2e9c275604..7d42db83702d092cec12e48dbea14d63f22f921f 100644
--- a/httpsso/handler.go
+++ b/httpsso/handler.go
@@ -1,10 +1,11 @@
 package httpsso
 
 import (
+	"crypto/rand"
 	"encoding/gob"
 	"encoding/hex"
 	"io"
-	"math/rand"
+	"log"
 	"net/http"
 	"net/url"
 	"strings"
@@ -95,6 +96,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, sessi
 	// Pop the nonce from the session.
 	nonce, ok := session.Values["nonce"].(string)
 	if !ok || nonce == "" {
+		log.Printf("got login request without nonce")
 		http.Error(w, "Missing nonce", http.StatusBadRequest)
 		return
 	}
@@ -102,6 +104,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, sessi
 
 	tkt, err := s.v.Validate(t, nonce, service, groups)
 	if err != nil {
+		log.Printf("validation error for token %s: %v", t, err)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
@@ -171,7 +174,7 @@ func getFullURL(req *http.Request, scheme string) *url.URL {
 
 func makeUniqueNonce() string {
 	var b [8]byte
-	if _, err := rand.Read(b[:]); err != nil {
+	if _, err := io.ReadFull(rand.Reader, b[:]); err != nil {
 		panic(err)
 	}
 	return hex.EncodeToString(b[:])
diff --git a/saml/saml.go b/saml/saml.go
index 6d5fe2d42786075891b57b2228a7483ad928eb9e..f130454b0d814592afb8411ebc4a9a3cf9685a4c 100644
--- a/saml/saml.go
+++ b/saml/saml.go
@@ -8,6 +8,7 @@ import (
 	"encoding/xml"
 	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"net/url"
@@ -208,7 +209,7 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 
 func randomBytes(n int) []byte {
 	b := make([]byte, n)
-	if _, err := rand.Read(b); err != nil {
+	if _, err := io.ReadFull(rand.Reader, b[:]); err != nil {
 		panic(err)
 	}
 	return b
diff --git a/server/device/manager.go b/server/device/manager.go
index c0fa0af25996477e75a504616647108b15506448..8c3e1063b2d47f01009cef7514fb92a05ce0bc2d 100644
--- a/server/device/manager.go
+++ b/server/device/manager.go
@@ -3,6 +3,7 @@ package device
 import (
 	"crypto/rand"
 	"encoding/hex"
+	"io"
 	"log"
 	"net"
 	"net/http"
@@ -15,7 +16,9 @@ import (
 
 func randomDeviceID() string {
 	b := make([]byte, 8)
-	rand.Read(b)
+	if _, err := io.ReadFull(rand.Reader, b[:]); err != nil {
+		panic(err)
+	}
 	return hex.EncodeToString(b)
 }
 
diff --git a/server/service_test.go b/server/service_test.go
index 6cc74355f475d33b58bafdbe4b88ae9f946872e2..a5087b4183067edd8bb542b2b9946c5cea14ad31 100644
--- a/server/service_test.go
+++ b/server/service_test.go
@@ -1,7 +1,6 @@
 package server
 
 import (
-	"crypto/rand"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -12,7 +11,7 @@ import (
 )
 
 func testConfig(t testing.TB, tmpdir string) *Config {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	pub, priv, err := ed25519.GenerateKey(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/sso_test.go b/sso_test.go
index b504650c3c476be49198755cd1c19dfc38b5a010..420c7645a935eec08df2ea9764ad7f62ce282d06 100644
--- a/sso_test.go
+++ b/sso_test.go
@@ -1,7 +1,6 @@
 package sso
 
 import (
-	"crypto/rand"
 	"testing"
 	"time"
 
@@ -9,7 +8,7 @@ import (
 )
 
 func TestEd25519(t *testing.T) {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	pub, priv, err := ed25519.GenerateKey(nil)
 	if err != nil {
 		t.Fatal(err)
 	}