Humans are lousy random number generators

After reading Bruce Culp’s December 2014 newsletter, I found it interesting that I was writing on a similar topic, but from a different direction. In Bruce’s newsletter, he mentions a Reg Parker who thought through the human process and the weaknesses in humans. I would consider this one of the first steps in social engineering, a problem we still face today. In his case, he did not use social interactions to obtain information, but clever observation of human behavior and how to leverage that knowledge. What is the problem we are looking at?
Humans are lousy random number generators!

I may not be the best Enigma historian, but my training in Mathematics and Statistics has shown me that humans are lousy at choosing random numbers or letters. Part of the security of Enigma, or any cryptology system, is that randomness. The rotor starting point and the key used, needs to be random. In addition, any short-term repetition or pattern endangers the entire system.

To test this theory on myself, I recorded my passwords over an extended period. By studying that list, I noticed I have certain patterns in the self-generated passwords. I do better by looking around at choosing objects at “random,” taking three or 4 characters from the name or category and add numbers and special characters by bouncing my hands on the keyboard without looking. Not perfect, but better than the ones I thought up as “random.” Because we have a tendency to fall into patterns, I was careful not to choose the same object that was chosen in the prior 4-5 passwords. While true random passwords or choices can repeat, a repeated three letter pattern would assist the cryptologist/bad guy in cracking my password.

Many people have studied humans’ lack of ability to be random (see below). So how can we overcome this problem as we try to emulate proper procedures to create secure keys? Alternatively, to use this to create better passwords for yourself? True random passwords are difficult to remember, but there are strategies to help. Semi-random pronounceable passwords are better for humans, but are a weaker then true random ones. A bit weaker, but one you can remember is far better then one that is secure, but you have to write it down! As a systems administrator, I have to generate initial passwords for my users. I use the Password Generator listed in Sources of Random, below. You will notice, the pronounceable passwords have many 3-letter groups that we can take advantage of for Enigma settings.

If you look under “Sources of Random,” I also have a couple of different Apps and a web page to help. Are these truly random? Nope! However, the pseudorandom algorithms are sufficiently complex, that for the number of messages we are likely to send, we should be OK.

Don’t like these? Got one or two dice? Couple of coins? I have created a couple of charts to let you use “old tech” to generate some random values. The coins are a bit more work, since it takes five coin tosses to get one letter, but if you are not in a rush, it works. The dice charts were designed to spread the numbers out so the chance of any dice roll will give you the best chance of getting a number, but even with that, 10 throws out of 36 (27.7%) are a reroll. Without getting in to fancy dice and complex charts, it is the best I can do. If you want to spend a few bucks, you can get a 26-sided die.

Do you need to change anything for something we do for fun? No, but hopefully this will give you some thoughts on the problems of creating secure keys and passwords

Sources of Random:

  • Web based Random Letter Sequence Generator: You can generate several three/four letter sequences to use as starting points and keys for Enigma enciphering. Generate several sequences to keep handy, and scratch them off as you use them. (http://www.dave-reed.com/Nifty/randSeq.html)
  • Android App: “Letters & Numbers Generator”: My favorite Android app to generate random letters. (https://play.google.com/store/apps/details?id=andr.app.random&hl=en)
  • IOS: “Letters – Random Character and Words” by Georg Dresler
  • Dice:
    • 26 letters: http://tinyurl.com/oou7fjf
    • 26 numbers: http://tinyurl.com/nezk67e
  • Password Generator: http://www.us-webmasters.com/Random-Password-Generator/

References:

  • Human Password Selection and Randomness: http://www.cs.cmu.edu/~jblocki/HumanRandomness.htm
  • Are people capable of generating a random number? http://philosophy.stackexchange.com/questions/1961/are-people-capable-of-generating-a-random-number
  • Humans cannot consciously generate random numbers sequences: Polemic study. http://www.researchgate.net/publication/5954804_Humans_cannot_consciously_generate_random_numbers_sequences_Polemic_study
  • Kerchkhoff’s principle: http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

Leave a Reply