diff --git a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
index 107ec20db..022831203 100644
--- a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
+++ b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
@@ -16,6 +16,7 @@
  */
 package org.apache.commons.lang3;
 
+import java.security.SecureRandom;
 import java.util.Random;
 
 /**
@@ -33,6 +34,12 @@ import java.util.Random;
  * <a href="https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/RandomStringGenerator.html">
  * RandomStringGenerator</a> instead.</p>
  *
+ * <p><em>Note.</em> This class relies on an instance {@link Random}, and instances
+ * of {@link Random} are not cryptographically
+ * secure. Consider instead using {@link SecureRandom}, for which we have no utility class,
+ * to get a cryptographically secure pseudo-random number generator for use by
+ * security-sensitive applications.</p>
+ *
  * <p>#ThreadSafe#</p>
  * @since 1.0
  */
diff --git a/src/main/java/org/apache/commons/lang3/RandomUtils.java b/src/main/java/org/apache/commons/lang3/RandomUtils.java
index e9992930e..6a899dcda 100644
--- a/src/main/java/org/apache/commons/lang3/RandomUtils.java
+++ b/src/main/java/org/apache/commons/lang3/RandomUtils.java
@@ -16,11 +16,17 @@
  */
 package org.apache.commons.lang3;
 
+import java.security.SecureRandom;
 import java.util.Random;
 
 /**
  * <p>Utility library that supplements the standard {@link Random} class.</p>
  *
+ * <p><em>Note.</em> Instances of {@link Random} are not cryptographically
+ * secure. Consider instead using {@link SecureRandom}, for which we have no utility class,
+ * to get a cryptographically secure pseudo-random number generator for use by
+ * security-sensitive applications.</p>
+ *
  * @since 3.3
  */
 public class RandomUtils {