Moved password generation to the client #13

Merged

bookercodes merged 18 commits from master into master 2015-08-16 09:25:11 +00:00

Conversation 3 Commits 18 Files Changed 1 +265

bookercodes commented 2015-08-14 17:27:34 +00:00 (Migrated from github.com)

Copy Link

Hello,

I have ported the server-side password generator to JS. It uses RandomSource.getRandomValues() which is cryptographically secure - it should work in all modern browsers. I could make it work in older-browsers by falling back to ISAAC or something but that would not be totally secure.

I also improved the UI and UX (imo):

(The alert is a normal Bootstrap alert alert-info but due to the GIF's limited colour palette, it looks different...)

I know you were concerned about users who disable JS. If someone visits this website without JS enabled, they are shown this message:

If you want, we can link those users the server-side password generator (e.g. append to that alert the sentence: "If you want, you can use the server-side based solution that does not require JS".)

I am taking a bit of a risk here because you did not explicitly say: "Yes, please do this" but I feel strongly that password generation should be done on the client when possible, so do other people in the community.

An additional benefit of doing this on the client-side is that, users can download password.html and use it locally without the need to run a local PHP server.

I am looking forward to hear what you think, @privacytoolsIO.

Hello, I have ported the server-side [password generator](https://github.com/privacytoolsIO/privacytools.io/blob/master/pw.php) to JS. It uses [_`RandomSource.getRandomValues()`_](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues) which is cryptographically secure - it _should_ work in all [modern browsers](http://caniuse.com/#feat=getrandomvalues). I _could_ make it work in older-browsers by falling back to [_ISAAC_](http://burtleburtle.net/bob/rand/isaacafa.html) or something but that would not be totally secure. I also improved the UI and UX (imo):  (The alert is a normal Bootstrap `alert alert-info` but due to the GIF's limited colour palette, it looks different...) I know you were concerned about users who disable JS. If someone visits this website without JS enabled, they are shown this message:  If you want, we can link those users the server-side password generator (e.g. append to that alert the sentence: _"If you want, you can use the server-side based solution that does not require JS"_.) I am taking a bit of a risk here because you did not explicitly say: _"Yes, please do this"_ but I feel **strongly** that password generation should be done on the client when possible, so do other people in the community. An additional benefit of doing this on the client-side is that, users can download `password.html` and use it locally without the need to run a local PHP server. I am looking forward to hear what you think, @privacytoolsIO.

privacytoolsIO commented 2015-08-16 09:53:07 +00:00 (Migrated from github.com)

Copy Link

Great work, alexbooker! I just changed a couple of things, please review it. Your new generator is already online, and old links redirect also to the new generator. Thanks :)

Great work, alexbooker! I just changed a couple of things, please review it. Your new generator is already online, and old links redirect also to the new generator. Thanks :)

bookercodes commented 2015-08-16 09:56:20 +00:00 (Migrated from github.com)

Copy Link

Awesome!

There is only one more thing to do, I think - make the "Source code" link point to the source file. I'll do that now and commit directly to master. I'll ping you here once it's done so you can update the server.

_Awesome!_ There is only one more thing to do, I think - make the "Source code" link point to the [source file](https://github.com/privacytoolsIO/privacytools.io/blob/master/password.html). I'll do that now and commit directly to `master`. I'll ping you here once it's done so you can update the server.

bookercodes commented 2015-08-16 09:57:58 +00:00 (Migrated from github.com)

Copy Link

OK, @privacytoolsIO - I did it.

OK, @privacytoolsIO - I did it.

This repo is archived. You cannot comment on pull requests.

Reviewers

No Reviewers

Labels

Clear labels

🔍🤖 Search Engines

approved

approved, waiting for a PR

dependencies

Pull requests that update a dependency file

duplicate

feedback wanted

high priority

I2P

The Invisible Internet Project (I2P)

iOS

low priority

OS

Operating Systems

Self-contained networks

Social media

stale

A label for stalebot if it gets added

streaming

Anything related to media streaming.

todo

Tor

Anything covering the Tor network

WIP

active work in progress, do not merge or PR (yet)!

wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

XMPP

Extensible Messaging and Presence Protocol

[m]

Matrix protocol

₿ cryptocurrency

ℹ️ help wanted

↔️ file sharing

⚙️ web extensions

Browser Extension related issues

✨ enhancement

❌ software removal

💬 discussion

🤖 Android

🐛 bug

💢 conflicting

📝 correction

Correction of content on the website

🆘 critical

📧 email

🔒 file encryption

📁 file storage

🦊 Firefox

Firefox & forks, about:config etc.

💻 hardware

🌐 hosting

🏠 housekeeping

Anything primarily related to site cleanup.

🔐 password managers

🧰 productivity tools

🔎 research required

🌐 Social News Aggregators

🆕 software suggestion

👥 team chat

🔒 VPN

Virtual Private Network

🌐 website issue

*Technical* issues with the website.

🚫 Windows

👁️ browsers

🖊️ digital notebooks

🗄️ DNS

Domain Name System

🗨️ instant messaging (im)

🇦🇶 translations

Anything covering a translated version of the site

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

jonah

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#13

No description provided.