How Do Random Password Generators Work?

A random password generator is a software program, hardware device, or online tool that automatically generates a password using parameters that a user sets, including mixed-case letters, numbers, symbols, pronounceability, length, and strength.

There are three kinds of random number generators that help make your new passwords:

Pseudorandom number generators

True random number generators

Cryptographically secure pseudo-random number generators

Now, take a look at these 5 randomly generated passwords I created using Dashlane’s Password Generator:

BP#/P-pQ8p2_

Z9tOh|ES*GOX

1b-‘$W^$)e/I

q8uQPjgyzp%:

[“cB6}%gvl~a

Notice any patterns or trends? Of course not, because these passwords are random…right? In fact, randomly generated passwords may not be as “random” as they seem.

In this post, I’ll explain what a random number generator is, how it works to create your passwords, and if the results they produce are truly random.

What makes something “random”?

What makes something random?

If I use a random password generator 5, 10, 100, or 100 times with the same parameters, there’s little chance that the generator will create the same result twice because it’s supposed to be random–meaning the results will be unpredictable, won’t follow a set pattern, and a previous result will have no effect on any of the following outcomes. But the results I see aren’t really random, they only appear to be random.

In a BBC broadcast, Marcus du Sautoy, the Oxford Simonyi Professor for the Public Understanding of Science at the University of Oxford, says that “randomness” is non-deterministic, meaning you will not be able to work out what is going to happen based on previous information.

Sautoy uses the example of rolling dice, and claims that if you know the exact “initial setup” of the dice prior to rolling them–their dimensions, weight, the amount of force applied to the dice, the contours of the surface the dice land on, the distance and speed traveled before landing on the table, etc.–then you should be able to predict where they will land. “But the point is that we can never know the precise initial setup of dice, meaning it’s non-deterministic,” he said. We can apply this same logic to shuffling cards, the lottery, playing a roulette wheel at a casino, and other games of chance.

Aren’t random password generators supposed to be “random”?

No, not all “random password generators” create truly random results. If I use a generic random password generator to create 10,000 new passwords, the passwords I generated are the result of a phenomenon called pseudo-random, meaning the results appear random when they really aren’t.

Steve Ward, Professor of Computer Science and Engineering at MIT’s Computer Science and Artificial Intelligence Laboratory, says traditional computer systems aren’t great at generating random results. “They’re deterministic, which means that if you ask the same question you’ll get the same answer every time,” he says. “In fact, such machines are specifically and carefully programmed to eliminate randomness in results. They do this by following rules and relying on algorithms when they compute.”

According to Ward, a completely deterministic machine can’t generate truly random number sequences because it follows the same algorithm to produce its results. “Typically, that means it starts with a common ‘seed’ number and then follows a pattern,” he says. Therefore, your randomized passwords aren’t truly random because they were created by the same algorithm.

For my computer to generate a truly random result from rolling dice, for example, my computer would have to actually roll the die itself. Since it’s extremely difficult to connect a real die to a computer (and the obvious fact that computers don’t have hands), it’s easier for computers to generate truly random results if they rely on unpredictable processes, like physical phenomena: the movements of your computer mouse, background or atmospheric noise, radioactive decay, or snapshots of lava lamps.

If my passwords aren’t truly random, are they safe?

 How Do Random Password Generators Work- 3

Generally, yes! In Andrea Rock’s study on Pseudorandom Number Generators for Cryptographic Applications, she notes that many random generators, “use cryptographic primitives like hash functions (e.g. SHA-1 or MD5) or block ciphers (DES, Triple-DES, AES)” to prevent cryptanalytic attacks, input based attacks, and state compromise extension attacks.

However, Rock also encourages consumers to examine a password generator more closely before using it. Some password generators do not take the same security precautions as others, which highlights the difference between pseudo-random number generators (PRNGs) and a cryptographically secure pseudo-random number generators (CSPRNGs). While you might be able to find a free PRNG via a simple Google search, CSPRNGs, like Dashlane’s Password Generator, are strategically used to create randomized passwords, generate encryption keys, encrypt user data, and other security related in-app processes.

According to technology consultants at Paragon Initiative Enterprises, the reason some PRNGs suffer from “weak” security is because the “seed” number of their algorithms is a 32-bit integer, meaning the generator can only produce up to 4 billion possible results.

Sure, 4 billion results appear to be a fairly large number, but as Paragon consultants demonstrate, those results could easily fit into a generic USB drive and “it will take a resourceful attacker only a few minutes to generate such a list from your algorithm.” Consultants also point out that in weak PRNGs, hackers can often recover the seed number from a few generated results and can then predict most, if not all of its future outputs.

But, the good news is that there is a way to improve the performance and security of pseudorandom generators. Dashlane’s Head of Security, Cyril Leclerc, told me that the secret ingredient found in all CSPRNGs is high entropy. In previous blog posts, we generally talk about password entropy, which is the measure of a password’s strength and unpredictability. Similarly, entropy, in the context of computing, refers to the unpredictability of gathered data used for cryptographic and security functions.

Mark Ward, a BBC News Technology correspondent, simplifies our definition of entropy like this:

“An unshuffled pack of cards has a low entropy, said Mr. Potter, because there is little surprising or uncertain about the order the cards would be dealt. The more a pack was shuffled, he said, the more entropy it had because it got harder to be sure about which card would be turned over next.”

Remember when I said that it’s easier for computers to generate truly random results if they rely on unpredictable processes? Well, the same holds true for generating high entropy. The entropy in a CSPRNG is higher than a regular PRNG because it is usually generated by unpredictable phenomena or physical activity, such as network activity, hard drive activity, keyboard strokes, mouse movements, etc. This data is then used to create the “seed” number, which helps create your new random password. In sum, the higher the entropy, the harder a random number or password should be to predict.

Should I use a “true” random password generator?

Should I use a "true" random password generator?

Quite frankly, seeking out a “true” random password generator isn’t necessary to generate a strong password. For starters, pseudo-random numbers are extremely valuable, especially for statisticians, computer scientists, mathematicians, and cryptographers because they’re easier to produce than truly random numbers.

Also, in her study, Rock lists three disadvantages of true random number generators (TRNGs):

  1. TRNGs are biased. “On average their output might contain more ones than zeros and therefore does not correspond to a uniformity distributed random variable,” she says. Rock says there are ways of balancing out those results, but it would impact the “number of useful bits” and the generator’s efficiency.
  2. TRNGs are costly. True random number generators are very expensive or need an additional hardware device to operate.
  3. TRNGs can’t keep up. Finally, TRNGs are usually “too slow for the intended applications,” she says.

Phew! That was a lot of detailed information, but I hope you learned something new about randomness and how password generators work. If you have any questions, feel free to leave your thoughts in the comments below!