It is easy to fall down a rabbit hole of research when searching for methods of generating sufficiently random numbers on a computer. It is an area that requires deep expertise and is generally inaccessible for the average user. At its heart, the idea of generating randomness from a device that is built to be precise seems like an oxymoron. But, as random number generation is so important for password generation, it is interesting that YubiKey has its own password generation function. To be robust the password generator implies it must have a high quality random number generation function.
Helpfully, that YubiKey random number generator can be accessed by the user. By default it spits out random bytes, but with some conversion those bytes can be translated into numbers and, for the purpose of password generation, letters.
I created a simple python program
that runs in Debian (and presumably other Linux distributions). The Windows version
took more time to solve owing to the absence of certain Linux commands (such as “tr”).
The random number generator asks for the number of random numbers you want (to be stored in a csv file) along with the biggest random number wanted (to constrain the range of numbers generated–which can become quite large). It then invokes the command “gpg-connect-agent” and there invokes the command “scd random 128”, that is, create 128 random bytes. These bytes are then translated into numbers with the “tr -dc 0-9” Linux command line command (helpfully raised in a forum). The list of random numbers that meet the user’s requirements is then saved into a csv file once the total number of random numbers is generated.
Of course these “random numbers” cannot be perfectly random, but I would assume Yubico has put some effort toward generating high quality random numbers as the base for their password generator and thus this python program can benefit from their work. The passwords generated seemed to satisfy Enpass when tested for strength, so, at least informally, it looks useful.
As mentioned above, the Windows version of this program took quite a bit longer as I could not figure out how to get “tr -dc 0-9” working in Windows without ugly hacks, but I recently discovered that with WSL2 installed one could append “wsl” in front of a Linux command on the Windows command line and it will dip into WSL2 and run the Linux command. This avoids the need to install some third party Unix overlay in Windows and works rather well. One final hurdle with the Windows program was that the
with open('random_numbers_yubikey_windows_generated.csv', 'w', newline="") as f:
needed
newline=""
added (as otherwise all the random numbers would be squished together without separation in one line, unlike in Debian where each number is separated automatically in its own line).
The password generator
(https://github.com/frasertajima/random_number_yubikey/blob/main/random_password_generator_yubikey.py)
only varies from the random number generator in extending the characters generated to include letters and to avoid saving the passwords in a file (for security reasons it seemed more secure just to spit out a list of generated passwords for the user to copy and paste, or combine, at random–to be stored in an encrypted password manager rather than on an unencrypted file). Just make sure to clear your console history.
The recent theft of the main bitcoin developer’s PGP secret key (and loss of $3M in bitcoin) after a hack only underscores my earlier comments in an earlier blog post concerning YubiKeys about how important it is not to store secrets unencrypted. While details are still being investigated, it could well be that had the PGP secret key been only stored on the YubiKey or only encrypted in a password manager (and not stored for ease of use on the developer’s computer), he could have avoided this huge loss.
Of course these python programs are only as strong as the YubiKey random number generator (which is closed source as far as I know). Testing randomness is a tricky area that I will leave to interested readers but I suspect that the YubiKey random number generator is not terrible and should be sufficient for casual use. It runs surprisingly quickly on Debian (but is a bit slower in Windows).
Felix qui nihil debet 