![]() This will mitigate supply-chain attacks increasing security for your end users. Again, password generation should be secret.įinally, subresource integrity ensures that the 3rd party resources you are loaded are the ones you intend to ship with your application. ![]() They've likely already profiled the user by following them around the web as they browse, so landing on your site gives the tracking companies information about you generating passwords. Also, instead of using Uint32Array() and following up with return (tempGRArray) / 65536 / 65536, just use Uint8Array() to avoid the unnecessary and CPU-heavy division.Īds and trackers create unnecessary risk for users on web-based password generator sites. Instead, the generator should abort rather than fall back on an insecure RNG. See that blog post on how to write an unbiased RNG implementation.Īs a couple more points, the genMathRand() falls back to Math.random() if crypto.genRandomValues() is not available. Unless array.length is a multiple of a power of 2, then the multiply-and-floor method is biased. While the RNG is using crypto.getRandomValues() as defined in genMathRand(), it's doing so in a biased way: Math.floor(genMathRand() * array.length). It's not so much "more eyes" as much as the value of community. 0 points.Ĭonfidence is built in Free Software where developers can contribute to the source code improving it for everyone. Subresource integrity is not used when calling 3rd party resources.A bias exists in the implementation of the RNG.The RNG is cryptographically secure using crypto.getRandomValues().The password generator is random and not deterministic.The password is generated client client-side.The source code is proprietary, non-free software.With that out of the way, here's how you did: Passwords are secrets and the only one who should know that secret is the one generating the password and the service provider they wish to create an account with. As a web administrator, you could trivially insert JavaScript that logs the generated passwords, date and time, IP address, browser fingerprint, and other things. As an end user, unless I'm auditing 100% of the source code on every page refresh, then I cannot be certain that malicious JavaScript has not been loaded to compromise my security. Here's a free audit of your password generator.īefore getting into the score, web-based password generators should be taken with caution. Library of Password & Authentication Research Discussions about the general issues of generating or storing your passwords are fine. This is not /r/TechSupport or /r/HowToHack so don't post asking for help recovering a password or gaining access to online accounts. ![]() We are primarily interested in topics that promote the industry's understanding of what authentication risks we face, what practices do or don't work, and what general technologies or software exist to improve the status quo. This subreddit is dedicated to the scientific discussion of passwords, biometrics, CAPTCHAs, secret questions, MFA/2FA/2SV, or other factors related to user authentication.
0 Comments
Leave a Reply. |