Questions for you:
- Where in your organisation do you rely on security or privacy that depends on randomness you have not verified is genuinely random?
- Can you think of processes, systems, or configurations that appear individualised or unpredictable but are in fact generated by a deterministic algorithm from known inputs; where you only see one instance of that output?
- What is the organisational equivalent of “change the password even if it looks random” — the default setting that most people leave unchanged because it appears to be fine?
Organisational applications:
Apparent randomness is only as good as its source: The story’s central insight transfers directly to any organisational context where security or fairness depends on randomness: the question to ask is not whether the output looks random but how it was generated. A password that appears random but was derived from the serial number via a known algorithm is not random in any security-relevant sense.
The same applies to sampling procedures that appear random but follow a predictable sequence, audit selections that look unbiased but are generated by deterministic rules, and any other organisational process where the appearance of randomness is used as a proxy for genuine unpredictability. Tracing the randomness to its source is the relevant audit, not inspecting the output.
The path-of-least-resistance problem in security design: The story notes that users took the easiest path available — leaving default passwords in place — and that designers only corrected for this through a combination of wanting more secure systems and enforced legislation. This pattern is consistent across most security controls: the default behaviour of users under time pressure and competing demands is to accept whatever configuration they are given.
Organisational security postures that depend on users actively changing defaults will systematically underperform those that make the secure option the default. This is the nudge principle applied to security: the architecture of choice should make the safer option the path of least resistance rather than the one requiring deliberate action.
Defaults as embedded decisions that accumulate over time: The story’s broader implication is that every default setting is an embedded decision about acceptable risk, made at a given point in time with a specific threat model in mind. As the story shows, the threat model for networked devices changed significantly as networks became ubiquitous, but the defaults did not keep pace until forced to.
Organisations accumulate defaults across their systems, processes, and configurations — many of which were set when the organisation, its scale, or its threat environment looked very different. A periodic audit of defaults, asking not “does this still work?” but “was this the right trade-off when it was set, and is it still the right trade-off now?”, tends to surface vulnerabilities that incremental security reviews miss.
For an additional insight, the default method was set as an acceptable risk, but acceptable to who? Does their threat model match yours?
Further reading
On security design, defaults, and human behaviour:
Thinking, Fast and Slow by Daniel Kahneman. Kahneman’s account of status quo bias and the power of defaults is the cognitive science foundation for understanding why users leave default passwords unchanged, and why security design that relies on active user behaviour systematically fails.
Nudge: Improving Decisions About Health, Wealth, and Happiness by Richard Thaler and Cass Sunstein. Thaler and Sunstein’s account of how default settings shape behaviour across many domains — from pensions to organ donation — is the most accessible treatment of why making the secure option the default is more effective than expecting users to actively choose it.
On pseudo-randomness, algorithmic generation, and its security implications:
The Art of Intrusion by Kevin Mitnick. Mitnick’s case studies include examples of attackers exploiting the gap between apparent and genuine randomness in security systems, making the story’s argument concrete with real examples.
How to Lie with Statistics by Darrell Huff. Huff’s older but still relevant account of how apparent randomness in data can conceal systematic structure is a useful complement to the story’s security focus — the principle that things which look random may be deterministic from a different vantage point applies well beyond passwords.
On the broader question of where randomness comes from in digital systems:
The Code Book: The Secret History of Codes and Code-Breaking by Simon Singh. Singh’s history of cryptography covers the development of key generation and the critical role of genuine randomness in security, providing the historical context for the story’s technical argument.
About the image
A few years ago, my eldest wanted to get a lock-picking kit. It contained a transparent padlock so you could see the mechanism. The irony is that he wants to be a police officer…
Photo montage and photo by Matt Ballantine, 2026
Random the Book 