I usually generate strong passwords using various online tools. Some time ago I mentioned it to a friend of mine and he was shocked that I do such dangerous thing. Is it really so unsafe to generate passwords online? Could there be generated some kind of cookie that tracks where I pasted it?
Asked
Active
Viewed 2.5k times
22
-
2Given that there's good offline tools like [KeePass](http://keepass.info/) there's no reason to take the risk to use an online tool. – Christian Dec 15 '15 at 21:25
-
2What benefit do you think you get from using an online tool versus a local one? – Adam Shostack Dec 15 '15 at 23:19
4 Answers
26
No. It is not safe to generate passwords online. Don't do it!
In theory there are some ways that one could perhaps build a password generator that is not so bad (e.g., run it in Javascript, on your local machine, and so forth). However, in practice, there are too many pitfalls that an average user cannot be expected to detect. Consequently, I do not recommend it.
For instance, an average user has no way to vet whether the password generator does indeed ensure that the password never leaves your site. The average user has no way to verify that the web site is not keeping a copy of your password. The average user has no way to verify that the password generation code is using good entropy (and Javascript's Math.random(), which is the obvious thing to use for this purpose, is not a great pseudorandom number generator).
D.W.
- 98,420
- 30
- 267
- 572
-
All these seem good reasons for security.SE, whose users CAN check those things, to suggest one good website. :) – Nemo Nov 08 '15 at 08:50
-
3@Nemo that's a dangerous proposition. Now you're asking people to trust a site that could go rogue, could be compromised, etc. Better to do it offline. – Ohnana Dec 15 '15 at 22:16
-
@Ohnana I'm not asking anything. And doing it offline isn't any better if one uses proprietary software. – Nemo Dec 16 '15 at 21:54
-
@Nemo while I wouldn't recommend using proprietary software to generate passwords, I would argue that it _is_ safer than using a website, as the website could choose to send you a backdoored generated whenever it wants. At least with the offline software you aren't updating it every time you run it, so you only have to trust that the version you installed is safe. – AndrolGenhald Jun 12 '18 at 14:20
-
What makes you say it's not safe, when it's just the password and the site has no idea what the username is, what site/app/service it's going to be used with, how to access said site/app/service, etc.? I understand that the password may still be added to a dictionary or hash table, but without the rest, is it really much of a concern? – Jesse P. Feb 17 '19 at 01:53
1
Just because a password generator doesn't use JavaScript doesn't mean it's not safe, however it would be easy for the server to store the password sent out with your IP address. If this is a concern it would be easy to change a few characters in the password. The GRC Ultra High Security Password Generator does not use JavaScript but "this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999". Each "instance" of this page has multiple passwords so even if GRC did log them (which I doubt they do) they wouldn't know which one you've chosen to use. If you still want a JavaScript based generator here is one.
-
3That page displays just fine when accessed over Tor via the Internet Archive. Some "proxy-proofing" done there. And "the techie details" go to some length to argue that the passwords provide... what work factor exactly? 512 bits? How can a password of 256 bits (like the 64 hex digits one) provide 512 bits of security, no matter how it's generated? Nowhere on the page do I even see what character set is being used for the other two alternatives. – user May 17 '18 at 08:49
-
@MichaelKjörling It can't. In fact, the secrets (including the "secret IV", and note that IVs are not meant to be secret) are likely generated with the kernel's random number generator, which uses a 256-bit cipher on Linux, Windows, and most BSDs. **I'd also just like to point out the absurdity of _intentionally_ using a certificate expired in 1999 and calling it "high-security".** – forest May 18 '18 at 09:25
-
@forest Exactly. It's a lot of impressive-sounding words which appear to have very little or even no basis in reality, and *relevant* information (like which character set is used when generating the passwords) is omitted. Regarding the 1999 though, I suspect that's a Cache-Control header or some of its ilk, rather than being in reference to the server certificate. (Not to say that a simple "no-cache" wouldn't work just as well; if you can't trust a proxy to get *that* right, there is no reason to assume that it gets date-based expiration right either.) – user May 18 '18 at 09:35
-
My god, every new "Gibson Research" password-related site I see gets an even bigger facepalm than the last one. I'm not sure whether he's a master troll or if he actually does *almost* understand a bunch of password concepts and somehow manage to get all the advice he gives subtly wrong anyway. – Ben Sep 17 '18 at 16:19
0
You can try this tool https://thedevband.com/generate-password.html This tool works offline, so you can try the following:
- Open the tool on any browser.
- Disconnect internet.
- Use the tool to generate a password.
- Clear all cache on your browser.
- Connect to your computer to the internet again to continue your work.
By this way, this tool can not collect and store your passwords. The tool is legit but you can do these steps just to make sure.
Tung Nguyen
- 117
- 1
-
1While I believe you are correct that this would prevent them from logging generated passwords, they still may be able to use a generation method that _appears_ random to you, but that they can easily break. This is of course true of any password generator that isn't audited, but unfortunately anything web-based relies on the website to supply you with the code, so you can't even be sure you're running the same code as everyone else that visits the site (which makes it impossible to audit). – AndrolGenhald Jun 12 '18 at 14:14
-1
If the password is being generated locally in JavaScript and there is no traffic back to the server, you should be fine.
If the password was being stored in a cookie it would only be viewable from the site that it originated from, due to the same origin policy. You would also be able to detect this by checking your cookies.
Their is the possibility for disclosure of information if you use a bookmarklet such as the one at http://supergenpass.com (JavaScript in a bookmark). The bookmarklet is stored locally, but run in the context of the site you are at, so if there is JavaScript running from that site that is setup to detect your bookmarklet, it could access information that the bookmarklet, uses, prompts for, and generates.
Phillip Nordwall
- 1,024
- 9
- 13
-
"_You would also be able to detect this by checking your cookies._" how would you do that? – curiousguy Jul 31 '12 at 22:06
-
1Like other answers, this overlooks the possibility of a backdoored password generator. – AndrolGenhald Jun 12 '18 at 14:22