Geek Answers Handbook

What are the security considerations for javascript password generator?

Over time, I have been considering using the Javascript bookmarklet to generate passwords for the different sites I visit to avoid the problem with “similar passwords everywhere,” but still be portable. However, after reading this article, it became clear to me that using this method would mean that one malicious page could jeopardize all my safety.

Now I'm thinking about the following solution: a bookmarklet that will do only one thing: open the URL on a new page with the original URL added (e.g. http://example.com/password_man.html?url=slashdot.org ). The script located on the page with example.com will generate the actual passwords.

Does anyone see any security issue with this approach? Although it is less convenient than the original, as far as I can see, even a malicious page could only see the password and did not have access to important information, such as the main password. Am I accepting this right?

Additional explanations:

  • Password generation will be performed entirely on the client side. The "Password_man.html" mentioned in the above example will contain a javascript code similar to the one already in the bookmarks, and it will contain an input field to indicate the main password.
  • Interpretation of the "url" parameter will also be performed on the client side. I am thinking of placing this file as a specific version of my Google codes account (i.e. v1234 of password_man.html), which would ensure that I will not modify the page for users.
  • In addition, HTTP / HTTPS is not a problem, since all processing is performed by the client’s browser, data is not returned to the server. You can argue that the MITM attack can modify the page so that it sends back the generated password, for example (or the main password, for that matter), if you use the transparent text protocol (for example, HTTP), but if you There is already a situation with MITM, there are other attack methods that are easier to do (for example: tracking the password from the request that sends it, or tracking the session identifier, etc.).

Update: after searching and discussing the problem, I came to the conclusion that this cannot be done safely on one page. Even if the bookmarklet captures only the domain and opens a new window (via window.open), the malicious site can always redefine window.open so that it opens a copy of the page that would actually capture the main password (basically, perform a phising attack).

+4
source share
4 answers

supergenpass sounds very much like what you propose to do.

If the requirement to implement as a bookmarklet is portability, there are existing multi-platform password managers. For example, I use Lastpass , it supports all major browsers, also works in Opera Mini, and is also included in the bookmarklet form.

+2
source

You might also want to pass the passphrase along with the URL, so there are two things you need to know to reset your password.

If you pass only the URL and it always goes to the same password, then only one person can use this application.

The chances that two people will use the same passphrase are unlikely, and you can use the same passphrase for each site.

If you use the https connection, it will be safer from tracking.

I believe that you have some usability problems with your approach, and if you use an http connection, then you will also be vulnerable to tracking. The fact that someone can get the password by knowing the URL means that it is more vulnerable than using the same password on every site, IMO.

Update: Due to clarification, my answer is changing.

Basically, in javascript you can have private members, so other code cannot see the values ​​unless something like firebug is used, but then the user looks at it.

This link will help explain this in more detail: http://www.crockford.com/javascript/private.html

If you put the main passphrase and all the information related to it and generate a password, then no other javascript code can get this information, because you will create setters without getters.

This will allow you to create a secure password generation page.

0
source

If you don't mind the Firefox-centric solution, take a look at Password Hasher . There is a "portable page" option that allows you to create a page that can be used with other browsers, but I just tried it with Chrome

The source for it is available here if you want to adapt it for another browser.

0
source

PRNG Javascripts are usually not cryptographically strong: https://bugzilla.mozilla.org/attachment.cgi?id=349768 ; therefore, if you use to generate passwords, other sites may guess the generated password or even affect the chosen password.

0
source

More articles:


All Articles