How are “random” passwords generated

1.06K viewsMathematicsOther

I mean if it’s generated by some piece of code that would imply it follows some methodology or algorithm to come up with something. How could that be random? Random is that which is unpredictable.

In: Mathematics

20 Answers

Anonymous 0 Comments

A computer has access to plenty of random information. Any time you have a sensor, the lowest bits tends to be noise. Every modern processor has a temperature sensor. The lowest bits are hopelessly noisy, and it turns out that the noise is from quantum mechanics effects, so it is truly random.

The computer have a bunch of other sources of random noise like that, and the operating system will gather it and use it generate truly random numbers via API to the apps that ask for it.

Anonymous 0 Comments

For the most part, they aren’t random. Computers can’t natively produce anything random. Most of the time this isn’t a big deal because no one is going to reverse engineer the algorithm the computer used to create the data – for a password generator, whatever seed the computer used creates data random _enough_.

For situations where you **truly** need random data, the computer will sample an outside data source assumed to be random. For example, it might take a snapshot of atmospheric data or a [lava lamp wall](https://www.cloudflare.com/learning/ssl/lava-lamp-encryption/).

Anonymous 0 Comments

Your operating system has a built-in cryptographic random number generator. The old Windows one used the following data to create a random number:

* The current process ID (GetCurrentProcessID).
* The current thread ID (GetCurrentThreadID).
* The tick count since boot time (GetTickCount).
* The current time (GetLocalTime).
* Various high-precision performance counters (QueryPerformanceCounter).
* An MD4 hash of the user’s environment block, which includes username, computer name, and search path. […]
* High-precision internal CPU counters, such as RDTSC, RDMSR, RDPMC

This was eventually deprecated due to various security issues, but that should give you an idea of what goes into it. Just understand that things are a lot more complicated now

Source: https://en.wikipedia.org/wiki/CryptGenRandom

Anonymous 0 Comments

Random numbers can be pseudorandom, which means they are generated by some algorithm which is deterministic (i.e. if it’s reset it will produce the same sequence of numbers). Pseudorandom generators often initialize their state with something derived from some noise information, such as the program start time timestamp. This is called seeding and makes them almost truly random (assuming that initial noise information is truly random). Modern processors have a hardware random number generator (HRNG) module, which often uses physical / quantum effects. Modern Intel and AMD processors support RDRAND instruction which generates a random number.

Anonymous 0 Comments

You’re right, but the problem goes much deeper than that. Essentially every number your computer generates is not actually random, it only pretends to be random by using a complex mixing one-way function.

There are ways to introduce unpredictability to the input of that function though. Common methods include using current time or using mouse and keyboard inputs. But even that’s not the end of the story: some companies use cameras pointed at lava lamps to generate random numbers, others may use quantum probabilistic effects, muon particles entering the atmosphere and many other unpredictable events to generate “real randomness” as an input to those mixing functions – so the result will be “more random”.

However, for individual’s purposes getting the randomness from your inputs, current time and traces of your digital footprint is enough, and your generated passwords are secure and difficult to guess.

Anonymous 0 Comments

random is a selection process. if you randomly select a number out of a jar that has 1-100 numbers in it…….the number was selected randomly. The numbers put in the jar were not random.

passwords are generally governed by a set of rules. length, special characters, etc. so they themselves cannot be “generated” randomly. but you can still randomly select one.

Let’s say there are only 6 possible password combos. There’s only 6. They can’t be THAT random. but i can roll a dice to assign the password. It’s less randomness than if the possible combos of passwords is 1 trillion, but still random

Anonymous 0 Comments

Passwords don’t have to be truly random to work. Say you started a stopwatch, and every time you needed a character, you’d pause the timer and pick the number of milliseconds as the number of character to pick (so like 01 is a, 02 is b, etc. and continuing on for numbers and symbols). It’s explicitly nonrandom, but it appears *random enough* for online purposes. If someone were to try to guess your password, they’d have to know exactly how long it took you to start/stop the timer each time.

That’s pretty much how a lot of these password generators work (with some other internal stuff to make it even more difficult to figure out)–the data needed to backengineer a “random” password is so hard to come up with that it’s effectively the same as just guessing random characters.

Truly random numbers are not needed in most scenarios. In a lot of cases, it’s sufficient to just have numbers that take more effort to figure out how to generate them than it does to randomly guess them. If I picked a number right now that was the remainder when you divide the time I woke up this morning by 7, it would take just as much effort to try to figure out what times I could have plausibly woken up as it would to just guess 1-7.

Anonymous 0 Comments

a lot of the time the algorithm starts with some randomly derived data – things like the last few bits on the clock (2/6/2024 08:15.325 – grab out 815325 and then start doing math on it from there) are a good source that’s usually available, as are temperature or fan speed or any other data derived from the outside world that is near impossible to predict.

Anonymous 0 Comments

One could ask the same question about throwing a die. Given the laws of nature, would someone know the exact initial position, the direction of the throw, the force used, the air conditions, gravity and so on, how could it be random?

Well, for the purpose of us playing say backgammon, it’s random enough. Would you still use dice when playing with an very advanced civilization that could compute the outcome of the throw as described above? Probably not.

Random on computers is pretty much the same. We have simple random algorithms for when it doesn’t really matter much and we also have crypto-graphically more secure algorithms for when the result of the randomness is important to us. We wouldn’t want someone knowing on what kind of device and at what time roughly the password got generated, to be able to “randomly” generate it again.

However, for most purposes where one would generate a random password, like using a password manager to generate unique random passwords for your accounts, it isn’t such a big deal. What I mean by that is that if someone had enough access to your machine to figure out the inputs and factors that ended up with you getting that password generated in order to steal it by generating it again the same way, well, they might’ve just stolen your password directly if they had such access which would render HOW it was generated quite irrelevant.

Anonymous 0 Comments

You’re right, it can’t. The algorithms are based on something that changes. This is called the seed. Usually the computer’s time clock. This is psuedo-random. Usually random enough. The algorithms have problems. If you run it enough times, you can find patterns in the results.

Back in the stone age, I learned to code on a device that did not have a clock(or I didn’t know about it). You had to provide the number, so the “random” program showed the same set of “random” images in sequence. Now, I know I could have used a text file and kept track of a number to make it change.

To make it MORE random, you use something that has no discernable pattern. Someone mentioned a snapshot of atmospheric data or a lava lamp wall. Using quantum particles is as random as you can get, though.