Random passwords using DuckDuckGo (fail)

Post date: May 21, 2014 3:50:26 PM

I was creating some random passwords when it suddenly hit me. Hey, these random passwords doesn't look too random at all. After little checking, it turned out it's complete snake oil.

Example passwords [A-Z,a-z,0-9] 12 characters. Should be pretty random right? Impossible to guess? Well, that isn't true at all.

Assumed amount of entropy and combinations by GRC Passwords Haystack.

Screenshot with one of passwords.

So if we have only 3,279,156,381,453,603,096,810 possible combinations, it's hard to get collisions? Not true again. Here's results form DuckDuckGo random password function, using two different computers.

A screenshot with random password generator using two different computers and browsers.

Random passwords by DuckDuckGo

Here's sample set off passwords from the service, after all, it's not so random as you might expect.

A8EodAKtoypU, oypUDZk5ugf2, A8EodAKtoypU, DZk5ugf2Xfct, A8EodAKtoypU, 0YNYDsvBLBrL, A8EodAKtoypU, XfctNY4YDsvB, A8EodAKtoypU, A8EodAKtoypU, DZk5ugf2Xfct, 0YNYDsvBLBrL, A8EodAKtoypU, A8EodAKtoypU, A8EodAKtoypU, DZk5ugf2Xfct, A8EodAKtoypU, DZk5ugf2Xfct, A8EodAKtoypU, DZk5ugf2Xfct, oypUDZk5ugf2, XfctNY4YDsvB, 0YNYDsvBLBrL, A8EodAKtoypU.

No, it's not mistake. It's real output just as I received it from the service. I guess these are NSA approved passwords or something.

Tip, always use what ever random source as seed and mutate the result by you self, so original data isn't directly used. That's one of the reasons Linux isn't using Intel random number generator alone.

It's time for final Internet wisdom, XKCD, XKCD and Dilbert.

Discussion at Google+.