Are computer-generated passwords secure?

Humans typically do a very poor job at generating randomness. It is possible to get truly random numbers for computer generating passwords. One way would be to setup your computer to seed itself from random.org which generates numbers by monitoring atmospheric noise. A computer mostly like does as good or a better job then the typical person who probably doesn't care too much about how much randomness their password has.

These days passwords are really not that useful anyway. If you do a search you can fine several security professionals arguing that people are going overboard on their expectations about passwords. I think you'll find that it is becoming far more common for passwords to be acquired by phishing, keyboard loggers, and other types of attacks where the password length and level of randomness is completely irrelevant.

Any well designed system will prevent an intruder from running any kind of dictionary attack remotely by using lockouts and rate-limiting authentication attempts. The secret hashes will be pretty well protected against interception.

Of course this like all things security related depends on the amount of risk. For a low value system with reasonable safe-guards computer generated passwords are almost certainly fine. If you are responsible for security of the codes for the nuclear weapons you probably will want to spend a bit more effort on coming up with good passwords.

Are computer-generated passwords secure?

I am sorry, but secure never has and probably never will be binary. Nothing will every be in a state of 100% secure or not. Correctly generated passwords in many cases will be far more secure then the alternatives.


Your argument has a couple of premises:

Given: Good passwords are completely random
Given: Passwords generated by a deterministic machine are not random

IF deterministic THEN not random
IF not random THEN not good

Therefore: Generated passwords are not good. QED.

Your premise that good passwords are completely random is incorrect. Experience has shown that good passwords have a number of traits. Good passwords have to resist certain kinds of attacks, only one of which is password guessing. 50+ years of experience with passwords has shown that good passwords have a number of traits:

  • Long enough to make randomized guessing take too long.
  • Have enough entropy to make each character significantly non-dependent on other characters in the password.
  • Are able to be memorized.

The (welcome) death of the 8-character limit on passwords has opened up a whole new universe of good password possibilities. It has also divided what counts as a good password.

A good password on Solaris: 1ŤŁÃb$R=
A good password on Windows: 0123456789abcefBubba2pAantz

The first has very high entropy out to eight characters. The second has laughable entropy out to 16 characters, but passable entropy after that. The second would be an insane password for Solaris since it would be truncated after the 8th character, where the first would be lamentable on Windows if that password hash ever got discovered (sniffed in flight, sucked down from a domain controller, that kind of thing) thanks to Rainbow Tables. (I had a blog post about this a while back that goes into more detail about this issue in the context of cross-platform password policies. Link)

Therefore a good password has high entropy AND length. When you can't use length (that 8 character limit again) you're stuck with high entropy. When you have very large length (512 characters!) the password can include significantly less entropy for the same attack resistance.

To whit, good passwords can be completely random. Not must be.

As for your second point, about a deterministic machine's inability to produce random output. A deterministic machine using a random input can produce output containing zero to the amount of entropy it got as input, but not introduce any new entropy. In this way a password generator using 2 bytes of entropy from /dev/random (not /dev/urandom) can produce a 40-character password of high apparent randomness. Of course, if those two bytes and the algorithm used to generate passwords are known to the attacker the actual password can be derived.

The algorithm is easier to find out than the actual random bytes used to seed the algorithm. They're well published, since high quality pseudo-randomness is a valuable thing for everyone. That means that attackers have to try (in this case) every possible 2-byte combination for every permissible length. (See also: Rainbow Tables)

To whit, Passwords generated by a deterministic machine can have high randomness.

And finally, what makes machine-generated passwords bad is not their ability to be derived post-facto, it is that third bullet point I made about what makes a good password: able to be memorized. Machine-generated passwords, especially long ones, can be VERY hard to memorize which will in turn lead to them being written down somewhere insecure. Or quickly changed to something else with less length/entropy strength.


Isn't it more secure to just press keys randomly to create a random password than to use a digital generation algorithm?

No.

For a given length of password, one that is generated randomly from the full possible symbol set will be significantly more secure than just pressing keys randomly.


Isn't it more secure to just press keys randomly to create a random password than to use a digital generation algorithm?

In practice, it could be, although while pressing keys randomly the chances of you holding shift to make some symbols is unlikely :)

For pseudo-random passwords, it all depends on how you're generating them. There is a myriad of sources you can use as input into an algorithm, and many algorithms to utilize. The things that would make a long, randomly-generated password weak is disclosing:

  • The data used as a seed for the algorithm
  • The algorithm itself

essentially it is a 2-piece puzzle that just takes a while to complete. If they have the details it's just a matter of time before it's cracked. Speaking of time, it's one of the most common seeds used in pseudo-random generation.

If there's one tip I can give you to keep a secure password, computer generated or not, it would be to use a very long password which will take a long time to crack. Also, don't use any tools online to generate passwords. In 1 simple line of code, the people hosting the generator can insert the generated passwords into a database.