|
|
|
|
|
|
by atoponce
2197 days ago
|
|
|
I audit web-based password generators as a hobby, and this one does well. What it does well on: The source code is open source licensed. Passwords are generated in the client, not on the server. The generator is random. The generator is cryptographically secure. The generator is unbiased. Mobile devices are supported. There are no JavaScript trackers loaded on the page. The site is not calling out to external resources without SRI. Unfortunately, by only choosing 4 random words, the security margin of the passphrase is 52 bits (13 bits per word). This is practical for a hobbyist password cracker to exhaust in an offline attack. The security would be better if 6 random words were chosen instead. Audit: https://docs.google.com/spreadsheets/d/1ucaqJ4U3X3nNEbAAa06i... |
|
|
The default was chosen as 4 words due to usability concerns with longer passwords or more obscure words, but it is adjustable. The strength meter is yellow at 4 words to indicate the less-than-optimal entropy, but I felt it was better than turning a new user off by making it too hard to remember. But that's a decision I plan on revisiting.
If you are security conscious, you can save a more secure default for yourself (in local storage, nothing is ever transmitted to a server).