While in general, the higher the score, the better the generator, this audit shows things are a bit more nuanced than that. Each auditing category should help you identify which generator would be a good suggestion when suggesting password generators to your family, friends, or acquaintences.
There is greater value in Free and Open Source Software under permissive copyright licenses than in proprietary, closed-source, "non-free" software. Such permissive licenses allow the software development community to build on the code, providing patches and improved versions of the software.
One point is granted for "Open Source" and zero points for "Proprietary".
Each password should be generated in the client without any knowledge of the generation process by another computer, including the web server. Of course a web serving host will know you visited the site to generate a password, but the server should not have any knowledge of the generation process itself.
One point is granted for "Client", and zero points for "Server".
Deterministic password generators have four fundamental flaws that are worth knowing. They are:
One point is awarded for "Random", zero points for "Uknown" or "Deterministic".
In the case of deterministic generators, that are based on a master password, the master password must be hashed with a dedicated password hashing or key derivation function using an appropriate cost. This means using:
One point is awarded for "Yes", zero points for "Maybe", "Unknown", or "No".
Even though the developer may have chosen a cryptographically secure random number generator, it could still be biased or non-uniform. This is generally done by generating a 32-bit number, then taking the modulus of the length of a character set. Unless that character set is a power-of-two, the generator will be biased. Oddly enough, with deterministic generators, even if MD5 is used as the non-secure pseudorandom function, if the result is truncated, the generator is uniform.
One point is awarded for "Yes", zero points for "Unknown", "Maybe", or "No".
Best practice is for passwords to be built with at least 70 bits of entropy. Each generator entropy value is the default entropy when a password is generated without any interaction from the user, even if it's possible to increase or decrease the password security. A hobbyist GPU password cracking rig can brute force through every 8 character ASCII keyboard password in under one week, which is about 51 bits of entropy if generated randomly. A 9 character ASCII keyboard password provides about 57 bits of entropy, and would take the same hobbyist password cracker about 94 weeks to brute force every possibility.
One point is awarded for 70 bits or more, 0.5 points is awarded for 55 to 69 bits of entropy, and zero points are awarded for 54 bits or less.
Password generation software should be delivered via HTTPS to prevent MITM software injection. This means that the site should be served with TLS using a valid certificate chain (green lock in your browser). TLS binds signed data by the certificate to the domain hosting the data, so if the certificate chain is invalid, or the certificate is self-signed, or any part of the TLS stack is not secure, this guarantee can no longer be given. Also, the site should deliver the data under HTTPS by default now; the user should not need to manually type "https://" into their browser's address bar.
One point is awarded for "Yes", zero points otherwise.
Given the ubiquity of modile devices, web developers should have long been designing websites with mobile devices in mind. It's not uncommon now for people to use their phone or tablet more than their laptop or desktop, so if they are visiting your web password generator, odds are good they are using a mobile device. So if the user is doing a lot of pinch-zooming to navigate the site, then the user experience isn't pleasant, and if the UX isn't pleasant, they may not come back to use the generator.
One point is awarded for "Yes", zero points for "No".
I understand that companies and web developers want to use 3rd party analytics and tracking scripts to see how people are using their site. They want to know this data, so they know how to better promote their brand, so they can improve their sales margins. Further, it's popular for site owners to use online advertising to help "pay the bills" of the cost of web hosting. Unfortunately, this means that these 3rd parties are aware that you have customers visiting your password generator. Under no circumstances should anyone know they are looking for a new password, except for maybe the ISP for packet routing, the DNS server, and the web hoster.
If you don't believe this is a problem, install the Lightbeam extension for Firefox. This extension will show you what sites have fingerprinted your browser, and where that fingerprint is being tracked as you navigate the web. It gets worse when companies like Facebook can track your web activity, even though you're not using the social site. Fill your domain with trackers and ads all you like, just keept them off your password generator.
One point is awarded for "No", zero points for "Yes".
In the case of bookmarklets or browser extensions, non-geek users will assume that the software will be running offline, and it's a reasonable assumption. Your bookmarklet or extension shouldn't be using iframes to call a remote generator, or "calling home" in any way, including advertising and tracking scripts. Some extensions may actually require an account, such as in the case with password managers, so those have been handled separately.
One point is awarded for "Yes", zero points for "No".
One point is awarded for "Yes" or "N/A", zero points for "No".
|Score||Perfect||Perfect - 1||Perfect - 2||51%||50%|