Humans Are Not Random Number Generators

archived comments edit

There’s an interesting discussion in the comments on the Coding Horror blog in which Jeff suggests that

Your password alone should be enough information for the computer to know who you are.

And I definitely agree assuming a couple constraints...

  • You’re on a home computer or a system with a small number of users.
  • You enforce pass-phrases rather than passwords.

A while ago I referenced an article on the insecurity of passwords as compared to pass-phrases. The article discusses how dictionary attacks and their ilk (brute-force, pre-computation, etc...) are becoming more and more successful at breaking into systems because people generally choose poor passwords.

However, in a sufficiently large system, a pass-phrase alone is no substitute for a username, pass-phrase combination during authentication. The reason is not that a 30+ character pass-phrase is theoretically statistically insecure. One commenter in Jeff’s post mentioned:

I honestly don't care how improbable it would be, I want it to be impossible.

Sorry, no system is unhackable.\ Impossible? The only system impossible to hack is one that does not allow logins. Perhaps a lump of rock would be more to your taste? Even with a username and password combination, it is not impossible to guess a usernamen and password combination by pure accident . I might by pure chance in haste mistype my credentials in such a way that I inadvertently type in the username and password of another user. That’s possible.

That’s probably within the same range of probability (and I’m hand waving here) as guessing a 30+ character cryptographically generated pass-phrase.

But there’s just one problem. Humans are not cryptographically strong generators.

True Story\ When I was giving a presentation in college about random number sequences, I asked my classmates to “generate” two random sequences of ones and zeroes, each fifty numbers long. I stepped out of the room and they generated the first sequence by just writing ones and zeroes on the board as they saw fit, attempting to generate a random sequence. For the second sequence, they flipped a coin fifty times and wrote those numbers on the board.

They then summoned me into the classroom. I took a look at the two sequences and quickly discerned which was generated by coin toss and which was generated by consensus.

It turns out that we have a tendency, in an attempt to be random, to assume that there will not be very long strings of the same number. So in the sequence generated by hand, the longest sequence of the same character was only three or four long. But in the random sequence of 50 coin tosses, I expected at least one sequence of the same number to be around 5 or 6 characters long.

Psychology of secrets\ So back to the point. The problem in a system with a large number of users is that psychology comes into play. You just know one or two people are going to choose the phrase “Who let the dogs out?” If you didn’t require a username and pass-phrase combo when authenticating, a person could inadverdently access another user’s account. Instead of attempting to guess one user’s account at a time, a hacker could be guessing at ALL user’s accounts at the same time.

Now there are some potential ideas that could make this work, assuming the benefit is worth it. One is to require that the pass phrase contain a number and a punctuation mark. Another option is to also require that the pass-phrase contain the username. So instead of the earlier pass-phrase I mentioned, my pass-phrase might be “Who let the dogs out Mr. Haacked?”

Comments