A (random) password generator could be any of these 3 things: a device, a software program (offline), or an online tool that you can use directly from a browser. This generator automatically generates a password by using any relevant parameters that are made by its creator, as follows:
- Numbers
- mixed-case letters
- pronounceability (the harder to pronounce the better)
- strength
- length
How Does a Random Password Generator Work?
Simply put, for any password software generator to work, it has to operate based on a formula or algorithm that will ensure that no 2 characters will form the same pattern. This process is being done at the same time that the password is being produced. To further illustrate this,
According to Neil Rubenking in his article “How to Use a Random Password Generator”, a password generator using a pseudo-random algorithm starts with a number called a “seed”. The algorithm then processes that seed number then proceeds to get a new one that cannot be traced to the previous one. Furthermore, the new number now becomes the seed. Still with me so far? Good.
The original seed number will not appear again until all other possible different numbers have come up. If the original seed was a 32-bit integer, the algorithm would have to go through 4,294,967,925 numbers before it gets repeated.
A password generator tool initially has to use random numbers as a basis for the final password. It may then later include letters and special characters. For the moment, we will look into the 3 kinds of random number generators that can be used as the base for new passwords:
- Pseudo-random number generators
- True random number generators
- Cryptographic-secure pseudorandom generators
Pseudo-random number generators (PRNG)
Just like the name suggests, some random password generators produce passwords that may not be truly random. Meaning, it may only appear random, but any trained software creator knows that it can only produce on the basis of a formula or algorithm.
According to Steve Ward Professor of Computer Science and Engineering at MIT, these generators are “deterministic”. It is deterministic in the sense that these systems are slightly predictable when asked the same question with the same formula. It then predictably gives the same answer, therefore making it less random. That’s when a generator becomes “pseudo-random”.
It all boils down to the system that starts out with the common seed and eventually following a pattern. Again, using the same seed produces a pattern. And producing that pattern eliminates randomness.
The one advantage of a pseudo-random number generator is that they can generate random sequences in a generally short amount of time. Meaning, it can deliver your password that may not be as random but is no less vulnerable. These pseudo-random numbers, although not impervious to attack, can be a decent deterrent to any would-be-hacker.
True Random Number Generators (TRNG)
True random number generators, in theory, is the exact opposite of pseudo-random generators. It is “non-deterministic” meaning, it should be able to operate not solely on the basis of an algorithm. It’s like playing the roulette wheel at a casino. There is simply no way you can predict how or where the ball will end up.
Although it may seem a good idea to be able to use a true random number generator, there are a few downsides to this:
- TRNG are expensive to make
Because of the complexity of its requirements to be random, it is expensive to make both software and hardware.
- TRNG is biased
In the context of computer digits, TRNG might contain more ones than zeros. Consequently, it cannot adhere to the uniformity principle. where the main idea is distributing random units through uniformity.
- TRNG’s can be too slow
It might not be able to keep up with the application that it is intended to work with.
Cryptographically-Secure Pseudo-Random Number Generator (CSPRNG)
One great alternative to TRNG and PRNG is the CSPRNG, or, as the full name is stated in the title. You will find that free PRNG is almost always available online, and so does Cryptographically-Secure Pseudo-Random Number Generators or CSPRNG. The main difference between the two is the added security of the latter, as well as enhanced randomization through higher entropy.
High Entropy
Entropy is defined as the measure of uncertainty in relation to a random variable. In the context of cybersecurity, it is the randomness associated with generating data. So the higher the entropy means more randomness, and more randomness in generating passwords means more security.
Security Tools
Such as in the case of CSPRNG, it increases its effectiveness in creating secure randomized passwords by using higher entropy and utilizing security programs like JavaSecureRandom. Using higher entropy in tandem with JavaSecureRandom, CSRNG is at the cutting edge of creating secure ultra-random passwords.
To further enhance the reliability of using CSRNG, in-app processes like using encryption keys, encrypting user data, and other relevant security in-app processes that can greatly reassure the user.
Is Password Generator Safe?
The general perception of using an online password generator is that it is not safe. This is due to the following reasons:
- There is no way that the password generator can guarantee that the password never leaves your website.
- The non-technical user has no way of knowing if the PRNG site itself is not keeping a copy of his password.
- The non-technical user has no way to verify if the PRNG is using good entropy.
Some would suggest downloading a password generator instead, so as to avoid interception in the web. If you work the app offline, you can actually reduce the risk of online attacks or even stolen information.
Overall, using a password generator can surprisingly be freeing when it comes to having to manage all of your passwords. This is especially when there is an incessant need to create a new and stronger password each and every time. Additionally, an average user may have at least 70 accounts over a course of a lifetime.
It may not be 120% foolproof, but a good CSPRNG may provide a level of comfort that you would otherwise not know about. A good balance on safety and convenience will always be an advantage for the user who takes his security seriously.