When you access any platform via your account on Mailpass, you may notice that instead of a regular-looking email address as the credential (i.e. josephine@company.com), you see a slightly odd-looking randomly generated alias like "whelk-cadenced@" or "people-sylphic@". 

While this might seem like a quirky feature, there's actually a crucial security reason behind it: these random aliases help protect your account from unauthorized access.

In the world of online security, randomness is king. The more unpredictable and chaotic the data used to secure your account, the harder it is for hackers and cybercriminals to crack the code and break in. That's why Mailpass goes the extra mile to ensure that the aliases used for your login credentials are as random as possible.

But generating true randomness is trickier than you might think. Computers, for all their processing power and complexity, are actually designed to be predictable. Feed a computer the same input twice, and it will dutifully spit out the same output both times. That's great for reliability, but not so great for randomness.

So how do you get a computer to produce the unpredictable, chaotic data necessary for generating secure random aliases? You have to look to the real world. And as it turns out, one of the best sources of randomness is something you might associate more with 1970s dorm rooms than with cutting-edge cybersecurity: lava lamps.

We lava some randomness

This insight isn't new. Back in 1996, a company called Silicon Graphics patented a system called "Lavarand" that used lava lamps to generate randomness for encryption. But in recent years, the cybersecurity giant Cloudflare has taken this concept to a whole new level.

At Cloudflare's headquarters in San Francisco, they've set up what they call the "Wall of Entropy": a wall of about 100 lava lamps, with a camera trained on them 24/7. The ever-shifting, chaotic patterns of the lava lamps provide a constant stream of unpredictable input that Cloudflare uses to seed their random number generators.

Here's how it works: the camera snaps a photo of the lava lamps at regular intervals, capturing the unique arrangement of the lava at that moment in time. That photo is then translated into a string of numbers, with each pixel assigned a numerical value based on its color and brightness. The resulting string of numbers is utterly random, a product of the chaotic physical processes swirling inside the lava lamps.

Cloudflare then takes that random number string and uses it as a seed for a cryptographically secure pseudorandom number generator (CSPRNG). The CSPRNG takes the random seed data and uses complex mathematical algorithms to "stretch" it into an effectively infinite stream of unpredictable output. (You can read more about that in Cloudflare’s own words here.)

Security by randomness, the Mailpass way

Whilst Mailpass has not quite gotten to setting up its own lava lamp wall (yet), we also use a cryptographically secure pseudorandom number generator (CSPRNG) to create these aliases, which means they are essentially impossible to predict or guess, even for a computer. The aliases are combinations of words with high entropy, themselves generated from the original hash produced by CSPRNG. Even if they do read a bit like gibberish,  that's exactly what we want - an alias that has no meaning and no connection to you personally. In the future, we intend to go one step further and bring in a vast chain of chaotic, real-world entropy, traced all the way back to the hypnotically shifting globs in Cloudflare's lava lamps.

Of course, you might be wondering, if the aliases are so random, how does our system know how to authenticate you when you log in? The key is that while the alias itself is random, it is permanently and securely linked to your account in our database. When you verify by your passkey, we unlock the alias credential associated with that platform. Meanwhile, our PassGuard technology ensures that once an alias has been created and used with one platform, it cannot be used in any meaningful way by any other platform, or indeed a bad actor. It is a truly random, unique link between you and the platform, without giving away any critical information.

Interestingly in Cloudflare’s case, the lava lamps aren't the only source of randomness. They also gather entropy from other chaotic physical processes, like the flickering of a candle flame or the radioactive decay of a pellet of uranium (in safe, controlled conditions, of course). And all of this real-world entropy is mixed together with randomness harvested from the computer's own operating system, like the tiny variations in the timings of keystrokes and mouse movements.

So the next time you see a wacky alias on your Mailpass account, take a moment to appreciate the incredible lengths we go to to keep your account secure. Your data is being protected not just by cutting-edge maths and computer science, but inspired also by the hypnotic dance of decades-old lava lamps, still dutifully churning out chaos after all these years. It’s what inspired our strangely entrancing login and register screen backgrounds [1].

Paradoxically, there is nothing more predictable to keeping you safe, than introducing as much randomness as possible.

If you are looking to improve your access and security across your company, or win customers via security compliance (without the high price tag) - drop us a line.

[1] The experience on Safari is less fun, of course! As it disables SVG filters which are integral to the lava-like effect.