Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
How Password Generators Work

How Password Generators Work

By István F.István F. Verified by Adam B.Adam B. Last updated: July 17, 2024 (0)

One of the most frequently cited features of password managers is password generation, which is their ability to ease the user’s burden of having to come up with a new, suitably complex password.

Passwords generated by such a tool are highly secure, since they contain a mix of randomly generated ASCII characters.

So why not explore the core of these password generators – which are essentially random number generators – to understand how they work and the safety measures they incorporate?

Generate a password using a password manager app

When you take a password management app and generate a new password there are typically various recipe options available, but in the end something like the following will be created (in this case generated by 1Password’s password generator):

e4xH67mD&WU?

l9z3″;Z=0XR*,ze

&2jFXpQ$r~61R=#

Notice that there isn’t any pattern to any of these because these passwords are random. Still, there is one thing to know when looking at these passwords: they aren’t as ‘random’ as you’d expect, they only look random. Here’s why…

Three types of random number generators

At the core of every password generator is a machine called a random number generator. There are three kinds of random number generators:

  • Pseudo-random number generators
  • True random number generators
  • Cryptographically secure pseudo-random number generators

Understanding what random is

We have some good news and some bad news for you. The bad: what you thought was random actually isn’t, because “you can program a machine to generate ‘random’ numbers, but the machine is at the mercy of its programming,” Steve Ward, Professor of Computer Science and Engineering at MIT’s Computer Science and Artificial Intelligence Laboratory says. The good: the generated passwords are cryptographically safe.

random number generator – or in our case a random password generator – is an algorithm that, based on an initial seed or by means of continuous input, produces a sequence of numbers or bits.

So, the central question is: what is random?

The Merriam-Webster dictionary defines “at random” as “without definite aim, direction, rule, or method”. From this perspective, an algorithm developed by humans based on certain rules for a random number generator doesn’t match the definition of “random”; hence questioning its randomness.

According to Ward, computers are “deterministic”, meaning that if you ask the same question, you’ll get the same answer every single time. If not, the computer is broken. In other words, computers are designed to eliminate randomness by default: to follow rules and rely on algorithms as they compute, as Ward explains.

The deterministic nature of computing makes other computers guess what’s going to happen based on previous information. Just a quick example: a Russian hacker who calls himself Alex was able to reverse-engineer the random number generator at the core of a certain type of slot machine, and the four-person team set up by him was able to earn more than a $250,000 per week just by flying from one casino to another and hacking slot machines.

Randomness is the exact opposite of what computers do; that’s why deterministic machines can’t generate truly random number sequences. This is why they turn to pseudo-random number generators or cryptographically secure pseudo-random number generators.

Are the passwords generated by password generators safe?

Generally speaking, they are safe, says Andrea Rock in a study entitled Pseudorandom Number Generators for Cryptographic Applications. To protect against hacker attack, password generators often “use cryptographic primitives such as hash functions (SHA-1 or MD5) or block ciphers (DES, Triple-DES, AES) for mixing the input or for masking the inner state against the output,” she writes.

It is recommended that you have a look at the password generator that is used in a password manager before committing to one service. Some use only pseudo-random number generators (PRNGs), while others use cryptographically secure pseudo-random number generators (CSPRNGs). Dashlane and 1Password, for example, use CSPRNGs, which protects the user by creating randomized passwords and encryption keys and making them suitable for such purposes.

60% off RoboForm for Best Reviews readers
RoboForm logo
Commit to RoboForm using Best Reviews' exclusive discount and enjoy a discount of 60% off the regular price.
/goto/roboform/ Click to show code

Is it possible for a machine to generate truly random strings?

Compared to PRNGs, True Random Number Generators (TRNGs) use a physical phenomenon as a source to create randomness and introduce it into a computer. This could be a variation of someone’s mouse movements, a radioactive source or atmospheric noise (easy to pick up with a normal radio).

By using a physical phenomenon as a source, the process of generating random numbers involves identifying little, unpredictable changes in the data. Hence, the string generated becomes non-deterministic. This makes TRNGs feasible for applications such as lotteries and draws, games and gambling, security, and more.


Best password managers of 2024

Editor's choice
RoboForm logo
Editor's rating:
(4.5)
Effective security center
Passkey compatibility
Intuitive and organized interface
Affordable prices
Families
LastPass logo
Editor's rating:
(4)
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses
1Password logo
Editor's rating:
(4.5)
End-to-end encryption
Secure authentication method
Data breach alarms
One-time password support
Security features
Keeper logo
Editor's rating:
(4.5)
Robust security
Wide range of platform support
Affordable
Great customer support
Personal use
NordPass Personal logo
Editor's rating:
(4.5)
Strong security features
Effective password generator
Excellent free version
Attractive price
Password sharing
Dashlane logo
Editor's rating:
(4)
Password changer
Built-in VPN
Flawless data import
Thorough iOS/Android app
Local storage
Enpass logo
Editor's rating:
(4)
Packed with features
Free for desktop users
Offline password manager
End-to-end encryption
User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us