[barrkel]

$RANDOM has low entropy, a predictable sequence and it's even more predictable if you use modulus.

$RANDOM provides 15 bits of randomness (32768 possible values) from an LCG[1] - https://en.wikipedia.org/wiki/Linear_congruential_generator

LCGs are multiply followed by add followed by modulus, which is usually implied by a mask or a native word bit length rolling over. You should observe that multiplies have patterns in the lower digits which an add will only offset, and the modulus will only throw away high bits rather than mix them back in to the low bits. Consider the low digit in multiples of 7 (what you'd get picking a number between 0 and 9 inclusive via modulus):

    7 -> 7
   14 -> 4
   21 -> 1
   28 -> 8
   35 -> 5
   42 -> 2
   49 -> 9
   56 -> 6
   63 -> 3
   70 -> 0
   77 -> 7
   84 -> 4
   91 -> 1
   98 -> 8
  105 -> 5
  112 -> 2
  119 -> 9
  126 -> 6
  133 -> 3
  140 -> 0

The lowest digit has the sequence 7418529630 repeating, which isn't very random. Modulus preserves low order bits and throws away the magnitude of the number. The result is that if you want to get half-decent low-valued random numbers from an LCG, you should take x/range * limit rather than %. You can do this with integer arithmetic via multiply and shift if you have an integer twice the size of your LCG.

But again, don't use an LCG for generating your password.

[1] I looked at the source. Bash looks like it tries to use random(3) if it's available, otherwise it seems to use this, which doesn't have an add:

  x(n+1) = 16807 * x(n) mod (m)