How Password Generators Work

One of the most frequently cited features of password managers is password generation, which is their ability to ease the user’s burden of having to come up with a new, suitably complex password.

Passwords generated by such a tool are highly secure, since they contain a mix of randomly generated ASCII characters.

So why not explore the core of these password generators – which are essentially random number generators – to understand how they work and the safety measures they incorporate?

Generate a Password Using a Password Manager App

When you take a password management app and generate a new password there are typically various recipe options available, but in the end something like the following will be created (in this case generated by 1Password’s password generator):

e4xH67mD&WU?

l9z3″;Z=0XR*,ze

&2jFXpQ$r~61R=#

Notice that there isn’t any pattern to any of these because these passwords are random. Still, there is one thing to know when looking at these passwords: they aren’t as ‘random’ as you’d expect, they only look random. Here’s why…

Three Types of Random Number Generators

At the core of every password generator is a machine called a random number generator. There are three kinds of random number generators:

• Pseudo-random number generators
• True random number generators
• Cryptographically secure pseudo-random number generators

Understanding What Random Is

We have some good news and some bad news for you. The bad: what you thought was random actually isn’t, because “you can program a machine to generate ‘random’ numbers, but the machine is at the mercy of its programming,” Steve Ward, Professor of Computer Science and Engineering at MIT’s Computer Science and Artificial Intelligence Laboratory says. The good: the generated passwords are cryptographically safe.

A random number generator – or in our case a random password generator – is an algorithm that, based on an initial seed or by means of continuous input, produces a sequence of numbers or bits.

So, the central question is: what is random?

The Merriam-Webster dictionary defines “at random” as “without definite aim, direction, rule, or method”. From this perspective, an algorithm developed by humans based on certain rules for a random number generator doesn’t match the definition of “random”; hence questioning its randomness.

According to Ward, computers are “deterministic”, meaning that if you ask the same question, you’ll get the same answer every single time. If not, the computer is broken. In other words, computers are designed to eliminate randomness by default: to follow rules and rely on algorithms as they compute, as Ward explains.

The deterministic nature of computing makes other computers guess what’s going to happen based on previous information. Just a quick example: a Russian hacker who calls himself Alex was able to reverse-engineer the random number generator at the core of a certain type of slot machine, and the four-person team set up by him was able to earn more than a $250,000 per week just by flying from one casino to another and hacking slot machines.

Randomness is the exact opposite of what computers do; that’s why deterministic machines can’t generate truly random number sequences. This is why they turn to pseudo-random number generators or cryptographically secure pseudo-random number generators.

Are the Passwords Generated by Password Generators Safe?

Generally speaking, they are safe, says Andrea Rock in a study entitled Pseudorandom Number Generators for Cryptographic Applications. To protect against hacker attack, password generators often “use cryptographic primitives such as hash functions (SHA-1 or MD5) or block ciphers (DES, Triple-DES, AES) for mixing the input or for masking the inner state against the output,” she writes.

It is recommended that you have a look at the password generator that is used in a password manager before committing to one service. Some use only pseudo-random number generators (PRNGs), while others use cryptographically secure pseudo-random number generators (CSPRNGs). Dashlane and 1Password, for example, use CSPRNGs, which protects the user by creating randomized passwords and encryption keys and making them suitable for such purposes.

Is it Possible for a Machine to Generate Truly Random Strings?

Compared to PRNGs, True Random Number Generators (TRNGs) use a physical phenomenon as a source to create randomness and introduce it into a computer. This could be a variation of someone’s mouse movements, a radioactive source or atmospheric noise (easy to pick up with a normal radio).

By using a physical phenomenon as a source, the process of generating random numbers involves identifying little, unpredictable changes in the data. Hence, the string generated becomes non-deterministic. This makes TRNGs feasible for applications such as lotteries and draws, games and gambling, security, and more.