
Toddler Password – Get a secure password generated by a toddler - pain_perdu
http://www.toddlerpassword.com
======
brianberns
This is cute, but I'm dubious. It generated "y3aEmic8B217" as my password. Kid
just happened to hit the shift key while also pressing E and then B? It looks
a little too random to me. When I pound on the keyboard, I get results that
look more like "fjlsd;lasf".

~~~
jefftk
My guess is they're using what the toddler typed to seed an RNG?

~~~
brianberns
Yeah, the verbiage says that his typing is merely the "basis" for the
resulting password, so you're probably right.

~~~
robbya
Which means the password has much less entropy than it appears to have. It's a
fun implementation, but not serious

~~~
tialaramex
So, kinda, sorta, mostly no.

We have these things called stream ciphers. You put a little bit of randomness
in, and you get what seems to be lots of randomness out. For example the
cipher might need a 256-bit key and 128-bit nonce and then spit out gigabytes
of seemingly random data.

Now, mathematically they can't /really/ be making more randomness, there's no
random steps it's all deterministic, in principle it ought to be possible to
unwind the steps and get back the initial random state. But it turns out that
unwinding step just can't actually be done with a good stream cipher, that's
the whole point.

We do this sort of stuff a lot in real modern cryptography. There's a HN
article which might still be on the front page, it was earlier today,
explaining how SSH works. It shows that six keys are needed for SSH
encryption, but they don't go get six times the randomness you'd need for a
single key, they can just use a cryptographically strong hash function and
make six different keys from the same shared secret randomness.

Let's do an experiment:

I've rolled my hex dice a few times to create a 64-bit random number.

I've pushed that as ASCII text into MD5 and got back a result, and now I'm
going to tell you the first and last characters of the result:

F31FB042................81AFD8FA

That's 64-bits. If you were correct with this idea about entropy you could
tell me what the missing bits are, infact you could prove it to other posters
- after all I have given you all the randomness according to your thinking,
there can't be any left.

But in fact you have no idea what those missing bits are, no idea what the
original 64-bit number was, because you are wrong, with cryptographic
primitives like hashes or stream ciphers we can in practice take a relatively
small amount of entropy (like a few minutes of keyboard bashing by a toddler)
and that's enough for all purposes.

The _real_ reason you shouldn't use this to make passwords is that the site
might be lying and keeping a record of every password that is chosen and which
IP address it was given to etcetera.

~~~
esotericn
This is not the case because one could enumerate the entire 64bit space and
perform a rainbow table attack on your scheme.

~~~
jefftk
Simple brute force is not a rainbow table.

Brute forcing 2^64 bits means calculating 2^63 MD5s in expectation. You can do
~100 GHash/sec, so ~2^37/s, so about 2^29s which is 17 gpu-years. So this is
doable, but incredibly expensive.

~~~
tialaramex
I'm glad my eyeballing the difficulty came off here.

It was tempting to pick say 128-bits of randomness and SHA-512/256 where I'd
stake actual money that it just cannot be done - but that's like twice as much
die-rolling and typing. On the other hand if I do 32-bits (fewer rolls) and
MD5 there's probably some loser out there who has already precomputed all of
those for whatever reason and then somebody finds the answer with a Bing
search and doesn't end up learning anything.

    
    
      echo -n 'F004672790DB5B1D' | md5sum 
      f31fb042501c2a398974feca81afd8fa  -

------
iandanforth
Here's the stock photo:

[https://www.gettyimages.com/detail/photo/cute-baby-boy-
sitti...](https://www.gettyimages.com/detail/photo/cute-baby-boy-sitting-in-
nature-with-laptop-royalty-free-image/174751793)

~~~
jvolkman
It's possible Max is also in the stock photo business.

------
aloknnikhil
[https://www.toddlerpassword.com/privacy](https://www.toddlerpassword.com/privacy)

Why does this need analytics and thus tracking cookies? I'm genuinely asking.
What kind of data does this even need tracking?

~~~
2pointsomone
Same concern

------
K0SM0S
Just to point out that human "smashing keyboard" is far from random.

Even if it weren't due to the keyboard's fixed layout (between two smashes),
it's largely because of our non-random nature — a human being cannot reliably
output random objects even in thought / speech. Don't ask me why (I don't
think anyone knows or could prove it theoretically) but it's been verified
countless times (war secrets help make such research important).

We're at best capable of pseudo-randomness mathematically. Some controversial
neuroscience even places us far into the deterministic scope. A child is
probably way more determined than an adult for that matter, due to a much
simpler schema of reality, with 'weird obsessions' (e.g. it feels nice to
smash the same place over and over again, our brain is quick to play games
like that, such as walking on specific tiles to avoid the lava in the street).

I wouldn't trust most animals to output randomness. We have crypto packages
suited for that purpose. ;-)

~~~
ignoranceprior
For anyone who wants an intuitive feel for how hard it is for humans to
generate random bits, I would recommend playing this game:

[https://roadtolarissa.com/oracle/](https://roadtolarissa.com/oracle/)

~~~
pkolaczk
Huh, I got 48%. Am I more random than random? :D

~~~
blotter_paper
From the page:

> Knowing what the computer will guess, you can guarantee that it is always
> wrong by picking the other direction. Doing the opposite of what a computer
> tells you isn’t quite free will though!

------
computerex
I am inclined to not trust the story here. Too many shady things going on. The
passwords just seem like they are generated algorithmically so the whole
underlying premise seems to be bs. The images can be found on a stock image
site, they are asking for money and it's all done in a very shady way where
the password is being generated serverside making it inherently insecure as a
generator.

Seems like someone is using the imagery of a cute child to make a few extra
bucks, at best.

------
blotter_paper
Poor Max -- his dad's a developer, but he still has to work as a typist just
to afford clean diapers, food, and toys. Everybody donate to this poor child's
cause!

Joking aside, will I break this if I request too many characters? Does it loop
after running out of Max's prior input? Is Max really just a script?

~~~
WilliamEdward
No i requested a 50 char length password and spammed the button and it kept
giving me passwords.

What's likely is the kid's input was used as a seed (string to int?) and then
put into a random number generator.

Kind of cute :)

------
phasetransition
My 2 year old would like to join as technical employee #1, but only if he gets
forward vesting.

------
Istribitel
From experience with my kids when they were toddlers, they would type what
they saw. I was kind of freaked out when my son typed "WARNING". They watched
VHS tapes or DVDs that began with that message.

------
Exuma
Why is this upvoted so high, this is purely a scam, and the passwords are not
generated in the client.

------
peteretep
> A toddler acts with good faith

Questionable

~~~
NetOpWibby
As a parent of a threenager, In inclined to agree.

~~~
em-bee
teenagers and toddlers are quite different. i can assure you that despite
outside appearances, when your teenagers were toddlers they were acting in
good faith, until they learned otherwise, from you.

------
SquishyPanda23
A toddler is basically a human that just booted. I'm not sure they have enough
entropy to generate a good password. :-P

~~~
lostgame
Well, conversely they have very little bias, since they have no previous
experience - which could be useful?

------
topkai22
My toddler provides a whole security suite- she will set your critical files
to readonly (by pulling all the keys of your keyboard), airgap your network
(by playing with the power strip its connected to), and virus detection (by
beginning to emit screams and snot as soon as she catches one) :)

------
ghostly_s
I don't know what they're doing with the site design but it's completely
devoid of text for me even with my adblocker turned off. I thought that was
part of the gimmick at first until I realized there is text displayed for a
fraction of a second before it finishes loading.

------
bdcravens
Won't the service have reduced entropy as time goes on?

In 2034, all the passwords will be "lol duh"

------
ggggtez
This is obviously not real.

------
pesfandiar
This is cute, but I'd rather use the very secure password generated by experts
at [https://mostsecure.pw/](https://mostsecure.pw/)

~~~
Consultant32452
Hilarious, that site gives the same password every time I load the page. Also,
that password has never been hacked according to haveibeenpwned.

~~~
Selfcommit
Yes, I think that's the joke :)

------
trpc
After decades of academic research, true randomness finally achieved.

------
wyldfire
Pretty entertaining. But if you want people to feel any more confident in your
generator, you need to have entropy metrics.

I have a feeling toddlers might be worse than other entropy sources.

------
code-is-code
A human using a keyboard is one of the worst RNAs out there

------
lukevers
This is great. My daughter does this for me too:

[https://twitter.com/lukevers_/status/1181217729216425984](https://twitter.com/lukevers_/status/1181217729216425984)
[https://twitter.com/lukevers_/status/1181217968287559680](https://twitter.com/lukevers_/status/1181217968287559680)

------
thomaspark
Well done on the site, lovely style and funny idea.

------
netsec_burn
There is a reason why password generators are client side, not server side.
The server can store all passwords it has ever provided.

------
anonu
So, this is fun idea.

I have a toddler, so I identify. She constantly mashes my laptop keyboard,
often deleting large blocks of code or typing gibberish into slack.

My biggest revelation here is how terrible the new MBP keyboard is. Just a bit
of keyboard mashing and many keys are rendered useless. They require some
gentle massaging to get back to a semi working state.

------
johnramsden
Child labor, contacting Social Services.

~~~
lostgame
My very first thought - I can’t decide if I’m just being way too sensitive or
if this is actually as wildly inappropriate as it seems.

------
fortran77
This is absolutely not secure. If he let the kid type away for an hour and is
selecting sub-strings from it, then all the passwords generated from this
exist in a file that can be ex filtrated given enough requests to his server.

~~~
jlgaddis
What if he let the kid type away for an hour, hashed that with SHA512, and
used that as a seed for an RNG? Gigabytes of perfectly usable key material
could be generated!

------
trothamel
Ah, the NSA. Those scamps.

------
Steve0
I tend to type guid in duckduckgo.
[https://duckduckgo.com/?q=Guid](https://duckduckgo.com/?q=Guid)

Bad idea?

~~~
jolux
you can also just type password and it'll generate a password

~~~
mxcrossb
You can actually just do this on any website. When making an account, just
type password into the password field. The best part is you can do the exact
same thing at login, so you never have to memorize the super secure password
they generate.

~~~
ChrisGranger
You jest, but it seems an awful lot of people actually do do this...

------
c8g
I need a secure password, so, I am going to use a password that was generated
in a secure server :) what a great idea :)

------
cookingoils
hmmm interesting... was this site based on this post from '17?
[https://artur.co/blog/07-30-17-preschooler-secure-
password-t...](https://artur.co/blog/07-30-17-preschooler-secure-password-
technique)

------
tokstesla
Nice idea. But most times, the passwords can be difficult to memorize.

~~~
WilliamEdward
friendly advice - you should be using a password manager, not memorising
passwords :) longer passwords are better

~~~
tokstesla
How then do I secure the password manager?

~~~
pkolaczk
A single strong password you can memorize.

------
33Backpack33
Report for child labor!

------
goldenkey
Is the name because only a toddler would use a password not generated on their
own rig?

------
nyolfen
still as vulnerable to a rubber ducky attack as ever

------
br1anberg
i still really like dinopass.com

