The Importance of True Randomness

AI written, human edited.

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte delved into a fascinating story that highlights the critical importance of robust random number generation in cybersecurity. The tale involves a cryptocurrency owner, $2.6 million worth of Bitcoin, and a startling discovery about a popular password manager's flawed algorithm.

The story begins with a man named Michael, who had lost access to 43.6 Bitcoin (worth approximately $2.6 million at the time) due to a forgotten password. This password, generated by the RoboForm password manager in 2013, was thought to be irretrievable. However, hardware hacker Joe Grand and his colleague Bruno managed to crack the password, revealing a significant vulnerability in RoboForm's password generation process.
Steve Gibson, clearly shocked by the revelation, explained the nature of RoboForm's flaw. Until mid-2015, RoboForm's password generator was using a shockingly simplistic method to create "random" passwords. Instead of employing a cryptographically secure pseudo-random number generator (PRNG), RoboForm was merely scrambling the computer's current time.

This meant that:
1. Passwords generated within the same second would be identical.
2. Passwords could be recreated if the generation time was known.
3. Different RoboForm installations would produce the same passwords at the same time.

Both Gibson and Laporte emphasized the crucial role of true randomness in cryptographic operations. Gibson recalled his own work on the SpinRite utility, where he implemented an "entropy harvester" to gather randomness from various system sources. He also mentioned hardware-based solutions, such as reverse-biased diodes that generate quantum-level noise, as ideal sources of true randomness.

Laporte brought up other examples of random number generation, including Cloudflare's lava lamp wall, highlighting the lengths to which companies go to ensure true randomness.

The RoboForm incident serves as a stark reminder of several key points:

1. The importance of open design in security software
2. The need for independent expert assessment of cryptographic implementations
3. The dangers of assuming that well-known software products are inherently secure

Gibson strongly advocated for transparency in password manager design, stating, "Any password generator that anyone is using should fully disclose its algorithms. There's no point in that being secret in the 21st century."

For users of RoboForm prior to mid-2015, this revelation is particularly concerning. Passwords generated during this period are potentially vulnerable and should be changed. More broadly, this incident underscores the importance of regularly updating passwords and using password managers with transparent, well-vetted security practices.

The RoboForm story serves as a cautionary tale in the world of cybersecurity. It reminds us that even well-established software can harbor significant vulnerabilities, and that true randomness is a cornerstone of strong cryptography. As we continue to rely on digital systems for sensitive information, the need for robust, transparent security practices becomes ever more critical.

Become a subscriber and never miss an episode: Security Now