While in general, the higher the score, the better the generator, this audit shows things are a bit more nuanced than that. Each auditing category should help you identify which generator would be a good suggestion when suggesting password generators to your family, friends, or acquaintences.


Software License

There is greater value in Free and Open Source Software under permissive copyright licenses than in proprietary, closed-source, "non-free" software. Such permissive licenses allow the software development community to build on the code, providing patches and improved versions of the software.

One point is granted for "Open Source" and zero points for "Proprietary".

License Open Source Proprietary

Server vs. Client Generation

Each password should be generated in the client without any knowledge of the generation process by another computer, including the web server. Of course a web serving host will know you visited the site to generate a password, but the server should not have any knowledge of the generation process itself.

One point is granted for "Client", and zero points for "Server".

Generator Client Server

Generation Type

Deterministic password generators have four fundamental flaws that are worth knowing. They are:

  1. Cannot accomodate varying password policies without keeping state.
  2. Cannot handle revocation of exposed passwords without keeping state.
  3. Cannot store alternative existing secrets, such as SSNs or CCNs.
  4. Exposure of the master password alone exposes all site passwords.
The fourth item in that list is the most fatal. While the discovery of the master password of an encrypted password database is no different that with deterministic generators, the database itself must also be compromised. This isn't to say deterministic generators are "bad", they just come with extra risks and inconveniences that are worth knowing about.

One point is awarded for "Random", zero points for "Uknown" or "Deterministic".

Generator Random Unknown Deterministic

RNG Security

The random number generator responsible for generating the password must be cryptographically secure. This means using window.crypto.getRandomValues() or window.msCrypto.getRandomValues() or a CSPRNG in userspace shipped with a JavaScript crypto library, such as the Stanford JavaScript Cryptographic Library. This means not using Math.random(), or using a generic block or scream cipher for the generation.

In the case of deterministic generators, that are based on a master password, the master password must be hashed with a dedicated password hashing or key derivation function using an appropriate cost. This means using:

This also means NOT using MD5, SHA-1, SHA-2, SHA-3, or any other fast generic cryptographic hashing function.

One point is awarded for "Yes", zero points for "Maybe", "Unknown", or "No".

CRNG Yes Unknown Maybe No

RNG Uniformity

Even though the developer may have chosen a cryptographically secure random number generator, it could still be biased or non-uniform. This is generally done by generating a 32-bit number, then taking the modulus of the length of a character set. Unless that character set is a power-of-two, the generator will be biased. Oddly enough, with deterministic generators, even if MD5 is used as the non-secure pseudorandom function, if the result is truncated, the generator is uniform.

One point is awarded for "Yes", zero points for "Unknown", "Maybe", or "No".

Uniform Yes Unknown Maybe No

RNG Entropy

Best practice is for passwords to be built with at least 70 bits of entropy. Each generator entropy value is the default entropy when a password is generated without any interaction from the user, even if it's possible to increase or decrease the password security. A hobbyist GPU password cracking rig can brute force through every 8 character ASCII keyboard password in under one week, which is about 51 bits of entropy if generated randomly. A 9 character ASCII keyboard password provides about 57 bits of entropy, and would take the same hobbyist password cracker about 94 weeks to brute force every possibility.

One point is awarded for 70 bits or more, 0.5 points is awarded for 55 to 69 bits of entropy, and zero points are awarded for 54 bits or less.

Entropy 70 69 55 54

Network Security

Password generation software should be delivered via HTTPS to prevent MITM software injection. This means that the site should be served with TLS using a valid certificate chain (green lock in your browser). TLS binds signed data by the certificate to the domain hosting the data, so if the certificate chain is invalid, or the certificate is self-signed, or any part of the TLS stack is not secure, this guarantee can no longer be given. Also, the site should deliver the data under HTTPS by default now; the user should not need to manually type "https://" into their browser's address bar.

One point is awarded for "Yes", zero points otherwise.

HTTPS Yes Not Default Expired No

Mobile View Support

Given the ubiquity of modile devices, web developers should have long been designing websites with mobile devices in mind. It's not uncommon now for people to use their phone or tablet more than their laptop or desktop, so if they are visiting your web password generator, odds are good they are using a mobile device. So if the user is doing a lot of pinch-zooming to navigate the site, then the user experience isn't pleasant, and if the UX isn't pleasant, they may not come back to use the generator.

One point is awarded for "Yes", zero points for "No".

Mobile Yes No

Ads and Tracker Scripts

I understand that companies and web developers want to use 3rd party analytics and tracking scripts to see how people are using their site. They want to know this data, so they know how to better promote their brand, so they can improve their sales margins. Further, it's popular for site owners to use online advertising to help "pay the bills" of the cost of web hosting. Unfortunately, this means that these 3rd parties are aware that you have customers visiting your password generator. Under no circumstances should anyone know they are looking for a new password, except for maybe the ISP for packet routing, the DNS server, and the web hoster.

If you don't believe this is a problem, install the Lightbeam extension for Firefox. This extension will show you what sites have fingerprinted your browser, and where that fingerprint is being tracked as you navigate the web. It gets worse when companies like Facebook can track your web activity, even though you're not using the social site. Fill your domain with trackers and ads all you like, just keept them off your password generator.

One point is awarded for "No", zero points for "Yes".

Trackers Yes No

Offline vs Online

In the case of bookmarklets or browser extensions, non-geek users will assume that the software will be running offline, and it's a reasonable assumption. Your bookmarklet or extension shouldn't be using iframes to call a remote generator, or "calling home" in any way, including advertising and tracking scripts. Some extensions may actually require an account, such as in the case with password managers, so those have been handled separately.

One point is awarded for "Yes", zero points for "No".

Offline Yes No

Subresource Integrity

One point is awarded for "Yes" or "N/A", zero points for "No".

SRI Yes N/A No

Scoring

Score Perfect Perfect - 1 Perfect - 2 51% 50%