How can one test if a password generator is cryptographically secured?
Given the plethora of random password generators (RPG) available, I'd like to do some black box testing on some.
Let's take https://passwordsgenerator.net/ for example. Assuming the whole generator is a black box with 0 information about how the passwords are generated (can't even view the .js stuff), and all we have is a "Generate password" button that somehow outputs a seemingly random password each time it's clicked.
We do NOT know:
- Who made or hosts the RPG
- What algorithms are used to generate the password
- How they get the randomness (Atomic decay? Lava lamps? Monkeys on type writers? People trying to exit Vim?)
- Source code.
What we know:
- If you click "Generate password", you get a seemingly random password
We can get thousands or millions of passwords as testing data. Given just those passwords, can we analyze them to figure out (even just estimate) how cryptographically secured the RPG is?
(I'm not looking for processes enough to generate whole reports and research papers. I'm just thinking of a way the common people can do a "quick" and rough test on the RPGs, maybe to choose between the common RPGs)
