How To Generate Truly Random Passwords Using Quantum Mechanics & Python*
Written By Ranveer Chaudhary
Welcome, folks! Today, we will learn how to generate truly random passwords in Python. We will venture into the uncharted world of quantum physics and try to merge it with the zen nature of Python.
Note: This article is geared towards a general audience, offering a high-level overview of the domain of random numbers. Consequently, I won’t be diving into intricate details such as entropy sources, HRNGs, one-way functions. I’ll also be skipping the more obvious stuff like why we need passwords and the importance of using different passwords across various platforms.
What Are Truly Random Passwords & Why Do We Need Them?
Before we dive into the actual segment, we first need to understand what truly random passwords are and why do we need them. Truly random passwords are generated using a process that involves true randomness, often derived from physical phenomena, and therefore they cannot be predicted.
Why do we need them? To answer that question, we need to take a look at the famous random library in Python. The random library generates these so-called pseudorandom numbers, which essentially means it uses a predefined algorithm to produce seemingly random numbers that are not genuinely random, if that makes sense. They may seem random, but with a bit of math and some smart calculations, you can theoretically predict these so-called “random” numbers to some extent. Therefore, we can figure out the generated password.
The aforementioned algorithm in use is the “Mersenne Twister” PRNG (Pseudo Random Number Generator) [Not to be confused with the CryptMT variant]. If you want to learn more, you can check out this article. Also, it’s worth mentioning that if you go to the official documentation of the random library, it states the following:
Warning: The pseudo-random generators of this module should not be used for security purposes. (Source)
Well, duly noted. I can already see some of you Python developers shouting secrets at your screens. Secrets is a CSPRNG (Cryptographically Secure Pseudorandom Number Generator), which is still not truly random, and also, it’s kind of boring in my opinion. Jeez, we are talking about quantum mechanics here, which instantly makes everything so much cooler and Just to make this article much more interesting and up to modern standards, I’ll throw in some AI action later.
However, that’s not all. Choosing the right random number generator is essential. People who know about the NSA’s alleged backdoored Dual Elliptic Curve random number generator know what I’m talking about. Computerphile has a great video about it, if you want to learn more.
The Solution
What we need is a source that generates unpredictable and truly random numbers, perhaps something like the wall of lava lamps that Cloudflare uses in its San Francisco office to generate random numbers. These numbers are then used to help create the encryption keys for the SSL/TLS protocols that secure data transmitted over the internet.
This approach requires 100 lava lamps — easy enough? Maybe not. However, we have something better. The brilliant minds at the Australian National University have developed something far superior, checking off all our criteria with their Quantum Random Number Generator (QRNG). Their QRNG operates by measuring the quantum fluctuations of the vacuum. The intricacies of how the QRNG operates are beyond the scope of this article, but this is what they say:
“The random numbers are generated in real-time in our lab by measuring the quantum fluctuations of the vacuum. The vacuum is described very differently in quantum physics and classical physics. In classical physics, a vacuum is considered as a space that is empty, devoid of matter or photons. Quantum physics however says that same space resembles a sea of virtual particles continuoisly appearing and disappearing. This is a prediction of quantum mechanics and can be measured and even sometimes utilised, such as in this service. By carefully measuring these vacuum fluctuations, we are able to generate ultra-high bandwidth random numbers. This means our random numbers are truly random, as guaranteed by the laws of quantum mechanics.”
This is the link to their FAQ page if you want to know more. But just to give you some context about its potency:
Even if two identical generators were placed in identical environments with identical initial conditions, the streams of numbers generated would remain entirely uncorrelated.
Unfortunately, I’m living off student discounts and don’t have access to high-tech machines to conduct such experiments lying around my mom’s basement. So, I did the next best thing and got its API. They have a free tier that allows you to try out their random number API completely free, and you can use that in your applications, which is exactly what we will do later on.
After obtaining the API key the basic code would look something like this.
import requests
QRN_URL = "https://api.quantumnumbers.anu.edu.au/"
API_KEY = "YOUR-API-KEY"
DTYPE = "uint8"
LENGTH = 25
BLOCKSIZE = 1
params = {"length": LENGTH, "type": DTYPE, "size": BLOCKSIZE}
headers = {"x-api-key": API_KEY}
response = requests.get(QRN_URL, headers = headers, params = params)I will link the GitHub repository for the entire code at the end.
Neural Networks For Password Analysis
And now for the promised AI action. We are going to train a neural network to analyze the strength of the passwords. You might be wondering why we need to use neural networks and why we can’t just use simple if and else statements (which is exactly what was done in the intial versions of Cipher, more on that later). Well, there is a strong reason behind it, and it’s related to the analysis part.
To better understand this, let me give you an example. Do you think “abcdefgh” is a strong password? if you said yes, well, at this point, just tweet all your passwords and usernames on Twitter or X or whatever it’s called nowadays.
To those who said ‘no,’ what do you think makes a strong password overall? A mixture of uppercase and lowercase letters, some numbers, special characters thrown into the mix, and an overall length of 8 characters or more. Well, sure, you would be right too, and this is very easy to implement in your code in the form of conditional statements. BUT! at the same time, you’d be wrong.
You see, if we go by the aforementioned criteria, a password like ‘Abcd@1234’ is fulfilling all the conditions and is slipping by as a strong password while clearly not being one. Therefore, conditional statements may misrepresent the strengths of the passwords. This is where the neural networks come into play; they understand the actual structure of the password, giving us a true analysis of its strength. I’m not going to go into the details of the neural network, as it is a separate topic, and discussing it would lead us off track from the main subject.
Whats Next?
Now that we have everything, what do we do? I should have probably mentioned it at the start, but the whole idea of truly random numbers came from one of my old projects named Cipher. In 2019, I was experimenting with Python and TKinter and created a very basic but functional password generator and vault. It used the random library for generation, basic conditional statements for analysis, and md5 hashing for storage. Recently, I wanted to upgrade Cipher, and while researching, it got super interesting, and that’s how we got here.
While working on the neural networks, I upgraded the storage vault, making it secure with military-grade encryption. I also revamped the UI for the app, which was, as mentioned, previously written in Python/TKinter. Unfortunately, I had to shift all the generation code from Python to JavaScript due to some issues I was facing with asynchronous behavior, which makes the appellation incorrect (Sighs), I’ll just add an asterisk to the title. You can implement all of this in Python using requests, just like I did earlier and come up with your own generation process or translate mine into Python.
I assembled all the JavaScript, HTML/CSS code and hooked it up to a Flask server in Python with the deep learning model loaded on it, and voila, we have the latest version of Cipher. You can check out the GitHub repository to try it out and learn more about it.
Conclusion
It’s a wrap. Now, before you go out and say all of this is overkill and not needed, you’re kinda right, We don’t really need truly random passwords. Nobody is going to steal grandma’s Facebook password, and I’m not forcing you to use Cipher, nor am I in any way promoting it, although giving it a star on GitHub will be greatly appreciated ;)
The main driving force behind writing this article and upgrading the project was how interesting everything was, even though I got stuck many times while working on this project. I’m pretty sure most developers don’t get the chance to mix quantum mechanics with Python and sprinkle some AI magic on top regularly. So there’s that; you can very well use the random module to simply generate a very long password, and that would be perfectly secure (maybe).
