Randomness is hard

An old professor of mine had a great party trick. He’d have about half the class toss a coin fifty times and write down the results. The other half of the class he’d tell to write down ‘random’ heads and tails. Without fail he could tell who was in which group. There were a few key giveaways: no long runs of just heads or just tails, for instance, or long runs of strict alternation between heads and tails.

But his overall point: humans, no matter how hard we try, struggle to be truly random. So bad, in fact, that forensic accountants are often able to detect large-scale fraud merely by scouring the books for non-random data.

This is a huge problem for businesses. Why? Passwords.

Strong passwords are random

A good password is a random password. Any pattern, any predictability: that’s the starting point a modern AI-enabled hacker needs to guess a password and force their way in. Modern AI is great at imitating how we use and connect words.

With just a few basic facts from LinkedIn or Facebook, AI can start guessing an employee’s password, drawing connections that the employee thought were random, but were in fact driven by the knowledge and patterns that drive our thinking. Researchers recently released PassGPT, a ChatGPT-like tool that can guess 20% more passwords than existing state-of-the-art hacking tools. Another AI-driven tool - PassGAN - can reportedly guess 50% of common passwords in under a minute.

If good passwords are random, and randomness is tough for humans, how can we protect ourselves online? Well, what do the pros do? Security professionals have clever techniques for picking secure passwords.

Some of them like to have computers create a stream of random letters - computer noise, basically - that they can pull from to make passwords. Others will pick up a dictionary and start pointing at words at random, stringing together a nonsense passphrase that’s truly unpredictable. Still others come up with a crazy sentence - “When I was seven, my sister threw my stuffed rabbit in the toilet” - and use the initials as their password: “WIw7,mstmsritt”.

But approaches like these are cumbersome, hard to remember, and take expertise and dedication. Most people settle for less secure passwords, a problem that’s especially acute at businesses: employees, who are incentivized to focus on their core job responsibilities, tend to do the bare minimum required when it comes to computer security.

What’s a business to do? We recommend a three-pronged approach. First, use single sign-on wherever possible, to minimize the number of passwords in play. Second, ensure that employees have access to a quality password manager, and are trained on how to use it to generate unique random passwords for every website. And finally, use Stronta’s tools for verifiably assigning secure passwords to your employees for their SSO and other critical logins.

Interested in learning more about Stronta’s password solutions? Reach out to us to schedule time.