pwgen/
|
+-- **Word Truncation Algorithm**
| |
| +-- How It Works
| | |
| | |-- Fixed Length
| | | `-- Truncates words to a maximum of 5 characters
| | |
| | |-- Vowel Preservation
| | | `-- Keeps the first vowel and removes all subsequent vowels
| | |
| | |-- Consonant Retention
| | | `-- Retains all consonants from the word
| | |
| | `-- Pronounceability
| | `-- Creates shorter words that are still relatively easy to pronounce
| |
| +-- Examples
| | |
| | |-- "seem" (4 chars) -> "seem" (unchanged, already <=5 chars)
| | |-- "seemingly" (9 chars) -> "semng" (5 chars)
| | |-- "battery" (7 chars) -> "battr" (5 chars)
| | |-- "beautiful" (9 chars) -> "betfl" (5 chars)
| | `-- "strength" (8 chars) -> "stren" (5 chars)
| |
| `-- Benefits
| |
| |-- Shorter passphrases without losing too much entropy
| |-- More memorable than random character truncation
| |-- Maintains word structure and pronounceability
| `-- Consistent, predictable behavior
|
|
+-- **Security Improvements Made**
| |
| +-- 1. Content Security Policy (CSP)
| | |
| | |-- Added strict CSP meta tag to prevent XSS attacks
| | |-- Restricts external resources to only Google Fonts
| | |-- Blocks inline scripts from unauthorized sources
| | `-- Policy: default-src 'none'; style-src 'unsafe-inline';
| | font-src https://fonts.gstatic.com
| |
| +-- 2. Referrer Policy
| | |
| | |-- Added meta name="referrer" content="no-referrer"
| | |-- Prevents leaking URL information when loading external resources
| | `-- Protects against referrer-based tracking
| |
| +-- 3. Clipboard Security
| | |
| | |-- Automatically clears clipboard after 60 seconds
| | |-- Prevents passwords from lingering in clipboard memory
| | `-- Reduces risk of accidental password exposure
| |
| +-- 4. Visibility Change Detection
| | |
| | |-- Clears password display when tab is hidden/minimized
| | |-- Prevents shoulder surfing when user switches tabs
| | `-- Password automatically hidden with message:
| | "// Password hidden for security"
| |
| +-- 5. Page Unload Protection
| | |
| | |-- Clears password from memory when page is closed/refreshed
| | |-- Attempts to clear clipboard on page unload
| | `-- Prevents password persistence in browser memory
| |
| `-- 6. User Selection Disabled
| |
| |-- CSS user-select: none prevents text selection
| |-- Forces users to use the Copy button only
| |-- Reduces risk of accidental password exposure
| `-- Prevents copy-paste mistakes
|
|
+-- **Existing Security Features**
| |
| +-- 1. Cryptographically Secure Random Generation
| | |
| | |-- Uses crypto.getRandomValues() for all random operations
| | |-- CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)
| | `-- Not using Math.random() which is predictable
| |
| +-- 2. Client-Side Only Processing
| | |
| | |-- No data sent to any server
| | |-- All generation happens locally in browser
| | `-- No network requests for password generation
| |
| +-- 3. No Storage
| | |
| | |-- Passwords are never stored anywhere
| | |-- No localStorage, sessionStorage, or cookies used
| | `-- No password history or logging
| |
| +-- 4. NIST SP 800-63B Compliance
| | |
| | |-- Minimum 8 characters (recommends 12+)
| | |-- Support for long passwords (up to 64 characters)
| | |-- All printable ASCII characters allowed
| | |-- No forced complexity requirements
| | `-- Length prioritized over complexity
| |
| `-- 5. 7776-Word EFF Wordlist
| |
| |-- Professional, vetted wordlist for passphrases
| |-- Designed specifically for memorable password generation
| `-- Each word provides ~12.9 bits of entropy
|
|
+-- **Remaining Considerations**
| |
| +-- 1. External Font Loading [RISK: LOW]
| | |
| | |-- Google Fonts loads from external CDN
| | |-- Could be blocked with ad blockers
| | |-- Minimal privacy impact (no password data sent)
| | `-- Mitigation: Could self-host fonts for complete offline operation
| |
| +-- 2. Browser DevTools Access [RISK: MEDIUM]
| | |
| | |-- Sophisticated users can access password via DevTools
| | |-- currentPassword variable is accessible in scope
| | |-- Mitigation: This is inherent to client-side JavaScript
| | `-- Note: Added Object.freeze() to make tampering harder
| |
| +-- 3. Browser Extensions [RISK: MEDIUM]
| | |
| | |-- Malicious browser extensions can access page content
| | |-- Could potentially read password from DOM
| | |-- Mitigation: Users should use trusted browsers and extensions only
| | `-- Note: This is outside the scope of the application
| |
| +-- 4. Screen Recording/Screenshots [RISK: MEDIUM]
| | |
| | |-- Malware could capture screenshots
| | |-- Screen sharing could expose passwords
| | |-- Mitigation: Implemented visibility change detection
| | `-- Note: User should be aware of their environment
| |
| `-- 5. Memory Inspection [RISK: LOW]
| |
| |-- Password exists in browser memory while displayed
| |-- Advanced attackers with system access could dump memory
| |-- Mitigation: Password cleared on tab switch/close
| `-- Note: This is an inherent limitation of client-side applications
|
|
+-- **Security Best Practices Implemented**
| |
| |-- [X] Cryptographically secure random number generation
| |-- [X] No server-side processing or storage
| |-- [X] No password logging or history
| |-- [X] Content Security Policy (CSP)
| |-- [X] Referrer policy protection
| |-- [X] Automatic clipboard clearing
| |-- [X] Password clearing on page hide/close
| |-- [X] User selection disabled (forced copy button)
| |-- [X] NIST guidelines compliance
| `-- [X] No dependencies on external JavaScript libraries
|
|
+-- **Security Rating**
| |
| +-- Overall Score: 9/10
| |
| +-- Summary
| | |
| | `-- This password generator implements industry best practices for
| | client-side password generation. The main limitations are inherent
| | to browser-based applications (DevTools access, browser extensions,
| | memory inspection).
| |
| `-- Threat Model Protection
| |
| |-- [X] Network Eavesdropping
| | `-- Protected (no network traffic)
| |
| |-- [X] Server Compromise
| | `-- N/A (no server)
| |
| |-- [X] Weak Random Generation
| | `-- Protected (CSPRNG)
| |
| |-- [X] Shoulder Surfing
| | `-- Partially Protected (auto-hide on tab switch)
| |
| |-- [X] Clipboard Leakage
| | `-- Protected (60-second auto-clear)
| |
| |-- [X] XSS Attacks
| | `-- Protected (CSP)
| |
| |-- [!] Malicious Extensions
| | `-- Limited Protection
| |
| |-- [!] DevTools Access
| | `-- Limited Protection (inherent to client-side)
| |
| `-- [!] Screen Recording
| `-- User Responsibility
|
|
+-- **Recommendations for Users**
| |
| |-- 1. Use this tool in a private browsing session
| |-- 2. Close the tab immediately after copying the password
| |-- 3. Clear clipboard manually after using the password
| |-- 4. Ensure no screen sharing or recording is active
| |-- 5. Use a trusted browser with minimal extensions
| |-- 6. Keep your operating system and browser updated
| `-- 7. Disable browser extensions when generating sensitive passwords
|
|
`-- **Important Notes**
|
+-- Application Type
| |
| `-- This is a PASSWORD GENERATOR, not a password manager
|
+-- What it does NOT do
| |
| |-- Does NOT store passwords
| |-- Does NOT sync passwords
| `-- Does NOT remember passwords
|
+-- What it does
| |
| `-- Generates passwords on-demand only
|
`-- Recommendation
|
`-- For password storage, use a dedicated password manager
with encryption (e.g., 1Password, Bitwarden, KeePassXC)
-
Couldn't load subscription status.
- Fork 0
NIST compliant password generator.
Couldn't load subscription status.
spidersalt/password-generator
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
About
NIST compliant password generator.
Resources
Stars
Watchers
Forks
Packages 0
No packages published