Browser refuses to load insecure font (that links using HTTP). You can replace "http://" with "//" so it can use HTTPS version while browsing via https.
I like your tool from a UX point of view, but nothing can fix the security issue that you use passwords created on a website which could at any time choose to store them.
PAAS (Password as a service) can and will never be a thing ;)
The security implications are all rubbish, and obviously it fails if the site goes away, but hear me out and then offer a local way of doing this, cause I'd love it:
Let's pretend you have some set of computer files that are distracting you. (A video game, or old high school/pre-divorce/estranged family photo albums, this could be anything). You want to keep them, but you want to restrict your own access to them.
Password as a service: you go to some little widget site, enter an email address, a date, and it gives you a password. Unless you have a photographic memory, you just paste it into a protected archive, forget it, and then wait until the date to get emailed a password reminder. Until then, you are locked out of your archive and there's nothing to be done until that day.
I haven't figured out a clever way of this that can't be defeated if the password is generated locally.
Most browsers these days implement window.crypto.getRandomValues() so you could use that and do the generation client-side in Javascript. That way, I don't have to trust that you're not storing these passwords in preparation for a later attack.
Quick question, it seems that the generated passwords never make use of special characters (only digits and letters). I feel that it restricts their entropy, doesn't it? I am not a security expert by any means, though, just genuinely curious.
Some terrible websites limit the characters you can supply for passwords (for telephone password input reasons, sometimes).
Also, someone who's trying to take advantage of a low-entropy password probably doesn't know what the character-set of the password actually is. In other words, they'd have to know this is where your password came from in order to recognize that special characters are off the table.
I've been using http://makemypassword.com for a few years. The Copy my Password button copies the generated password to your clipboard instead of using a keyboard combo.
Why is it telling me to press Command+C to copy the password on my Linux machine?
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
And yes, anybody who would use a password that was generated on a foreign server is very silly indeed. The password should be generated locally in the browser.
Other than those things the visual design is nice at least.
Sorry guys if I completely missed the points regarding the security. I just wanted to create a cool tool for me, and I didn't think too much about storing passwords or having enough entropy or whatever.
I've build this because I store all my passwords with VIM instead of the popular 1Password and I need to generate passwords most of the time.
Sorry, to be an asshole, but I'll use pwgen[0] over some website that gives me a password everyday. Even if it's client side only it's still a bad idea.
The tool is now 100% front-end. I used the library @mykii posted below (https://github.com/mykiimike/jen) and there should not be any HTTPS errors now.
I talking about failsafe not fallback, U will never reach the condition on browsers or nodejs. This mimic is there just to avoid a null return from .password() (generaly not checked by user) which could be more dangerous.
awesome and scary at the same time. awescary.
If I understood it correctly this should work for nodejs servers as well, for example when they create random ids for users or urls.
Hey one thing about your website It could be nice if you can add a "Hardening" button. On clicking you can set to true/false hdl.hardening(bool) in order to get very specials chars.
cheers
I see no need for this. If you're memorizing passwords, you're either not changing them often enough or not making them complicated enough. Everyone should be using a password manager. I doubt a password manager exists that doesn't generate new passwords for you.
I really liked the design, and since it is done only in front end right now, I also liked the idea.
It may not be suitable or the perfect solution for hackers like in this website, but we should remember that incredible number of people are using "password1" and "123456" and alikes. This website can really help to those who are not very well at using computers. Oh, but they will probably write these password onto a post-it and stick it on their monitor, but an effort is an effort :).
44 comments
[ 1607 ms ] story [ 2523 ms ] threadhttps://simplestpasswordgenerator.com/
PAAS (Password as a service) can and will never be a thing ;)
The security implications are all rubbish, and obviously it fails if the site goes away, but hear me out and then offer a local way of doing this, cause I'd love it:
Let's pretend you have some set of computer files that are distracting you. (A video game, or old high school/pre-divorce/estranged family photo albums, this could be anything). You want to keep them, but you want to restrict your own access to them.
Password as a service: you go to some little widget site, enter an email address, a date, and it gives you a password. Unless you have a photographic memory, you just paste it into a protected archive, forget it, and then wait until the date to get emailed a password reminder. Until then, you are locked out of your archive and there's nothing to be done until that day.
I haven't figured out a clever way of this that can't be defeated if the password is generated locally.
Most browsers these days implement window.crypto.getRandomValues() so you could use that and do the generation client-side in Javascript. That way, I don't have to trust that you're not storing these passwords in preparation for a later attack.
It works both on browsers and nodejs.
Also, someone who's trying to take advantage of a low-entropy password probably doesn't know what the character-set of the password actually is. In other words, they'd have to know this is where your password came from in order to recognize that special characters are off the table.
- password generated server-side (why?)
- mixed http/https content
- no info on how the password is generated
Nice simple UI though. :)
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
And yes, anybody who would use a password that was generated on a foreign server is very silly indeed. The password should be generated locally in the browser.
Other than those things the visual design is nice at least.
alias mkpass='head -c 9 /dev/random | base64'
Sorry guys if I completely missed the points regarding the security. I just wanted to create a cool tool for me, and I didn't think too much about storing passwords or having enough entropy or whatever.
I've build this because I store all my passwords with VIM instead of the popular 1Password and I need to generate passwords most of the time.
I'll update the tool to make it client-side only.
[0]: http://linux.die.net/man/1/pwgen
The tool is now 100% front-end. I used the library @mykii posted below (https://github.com/mykiimike/jen) and there should not be any HTTPS errors now.
The code is even on Github (https://github.com/djaiss/simplestpasswordgenerator) - so you can see that I don't do anything nasty with our precious passwords.
That's just not acceptable, even as a fallback, I'm sorry, the whole idea of this service is just horrible. Please don't use this.
This is just horrible and I honestly hope nobody will ever use this, I'm sorry.
function password(){ cat /dev/urandom | base64| tr -dc 'a-zA-Z0-9' | fold -w ${1:-20} | head -n 1 }
It may not be suitable or the perfect solution for hackers like in this website, but we should remember that incredible number of people are using "password1" and "123456" and alikes. This website can really help to those who are not very well at using computers. Oh, but they will probably write these password onto a post-it and stick it on their monitor, but an effort is an effort :).