# Humans Are Not Random Number Generators

There’s an interesting discussion in the comments on the Coding Horror blog in which Jeff suggests that

Your password alone should be enough information for the computer to know who you are.

And I definitely agree assuming a couple constraints

• You’re on a home computer or a system with a small number of users.
• You enforce pass-phrases rather than passwords.

A while ago I referenced an article on the insecurity of passwords as compared to pass-phrases. The article discusses how dictionary attacks and their ilk (brute-force, pre-computation, etc…) are becoming more and more successful at breaking into systems because people generally choose poor passwords.

However, in a sufficiently large system, a pass-phrase alone is no substitute for a username, pass-phrase combination during authentication. The reason is not that a 30+ character pass-phrase is theoretically statistically insecure. One commenter in Jeff’s post mentioned:

I honestly don’t care how improbable it would be, I want it to be impossible.

Sorry, no system is unhackable.\ Impossible? The only system impossible to hack is one that does not allow logins. Perhaps a lump of rock would be more to your taste? Even with a username and password combination, it is not impossible to guess a usernamen and password combination by pure accident . I might by pure chance in haste mistype my credentials in such a way that I inadvertently type in the username and password of another user. That’s possible.

That’s probably within the same range of probability (and I’m hand waving here) as guessing a 30+ character cryptographically generated pass-phrase.

But there’s just one problem. Humans are not cryptographically strong generators.

True Story\ When I was giving a presentation in college about random number sequences, I asked my classmates to “generate” two random sequences of ones and zeroes, each fifty numbers long. I stepped out of the room and they generated the first sequence by just writing ones and zeroes on the board as they saw fit, attempting to generate a random sequence. For the second sequence, they flipped a coin fifty times and wrote those numbers on the board.

They then summoned me into the classroom. I took a look at the two sequences and quickly discerned which was generated by coin toss and which was generated by consensus.

It turns out that we have a tendency, in an attempt to be random, to assume that there will not be very long strings of the same number. So in the sequence generated by hand, the longest sequence of the same character was only three or four long. But in the random sequence of 50 coin tosses, I expected at least one sequence of the same number to be around 5 or 6 characters long.

Psychology of secrets\ So back to the point. The problem in a system with a large number of users is that psychology comes into play. You just know one or two people are going to choose the phrase “Who let the dogs out?” If you didn’t require a username and pass-phrase combo when authenticating, a person could inadverdently access another user’s account. Instead of attempting to guess one user’s account at a time, a hacker could be guessing at ALL user’s accounts at the same time.

Now there are some potential ideas that could make this work, assuming the benefit is worth it. One is to require that the pass phrase contain a number and a punctuation mark. Another option is to also require that the pass-phrase contain the username. So instead of the earlier pass-phrase I mentioned, my pass-phrase might be “Who let the dogs out Mr. Haacked?”

Found a typo or error? Suggest an edit! If accepted, your contribution is listed automatically here.

### 4 responses

1. October 12th, 2005

> You just know one or two people are going to choose the phrase “Who let the dogs out?

In the case of collisions, one poster had a good idea-- in the event of a password collision, invalidate the collided user and prompt them for some other bit of unique information the next time they attempt to log on.

2. October 12th, 2005

My US government password was something along the lines of two lower case, two upper case, two numbers, and two punctuations, all of which had to be mixed up according to some asinine rules. Oh, and we had to change it every 3 months. I have trouble remembering my cellphone number, let alone a quasi-random code.

Needless to say, my code was always written down and stored conveniently in my file cabinet under "Computer". Good thing the US Army doesn't have any secrets they wouldn't want the world to know about.

3. October 12th, 2005

Perhaps we should all use something like this:

New USB flash drives support running software straight off the drive without having to install anything on your computer (like the SanDisk Cruzer Mini http://www.amazon.com/exec/obidos/tg/detail/-/B0001FV37S/qid=1127158643/sr=8-1/ref=pd_bbs_1/102-0631639-8228908?v=glance&s=pc&n=507846 )

RoboForm has a cool little app that (a) runs off your flash drive automatically when you insert it; (b) attaches to your browser/s; (c) remembers your credentials and (d) automatically logs you in the next time you visit that login page.

http://www.roboform.com/pass2go.html

This was a tip from my friend Micah.

4. October 12th, 2005

My password generation system has survived every intrusion test into our company. We've had password attacking software run against the SAM database for literally months and it never figured mine or anyone else's who used my methodology out. Yeah, it'd swipe a character or two, but that was about it. Unfortunately, within 15 minutes we had 90% of the entire company's passwords, including the CEO's.

When you have a password like Idahg95JWŸ, you can rest assured no one is going to be able to either guess or brute force their way in in a timely manner. No, it's not impossible, but the improbability of it would give the Heart of Gold fits. By the way, that stood for I drive a hunter green 95 Jeep Wrangler (with ALT+159 tossed in the end for good measure). Using the first letter of a phrase is easier to type and easier to remember.

I'm not saying my system is perfect, I'm saying it is good enough, at least for now.

I also did a trick one time (one of those that you can only do once) where I chose a simple word as a password, let the admins 'hack' the db to get it, and challenged them to log in as me. Even with my password right there in front of them, they couldn't log in as me. The secret? A space at the end (it doesn't 'show up' in the report, they never typed it). Not a good security method, but kind of funny nonetheless.