Moved password generation to the client #13

2015-08-14T17:27:34Z

bookercodes commented

2015-08-14 17:27:34 +00:00

(Migrated from github.com)

Hello,

I have ported the server-side password generator to JS. It uses RandomSource.getRandomValues() which is cryptographically secure - it should work in all modern browsers. I could make it work in older-browsers by falling back to ISAAC or something but that would not be totally secure.

I also improved the UI and UX (imo):

(The alert is a normal Bootstrap alert alert-info but due to the GIF's limited colour palette, it looks different...)

I know you were concerned about users who disable JS. If someone visits this website without JS enabled, they are shown this message:

If you want, we can link those users the server-side password generator (e.g. append to that alert the sentence: "If you want, you can use the server-side based solution that does not require JS".)

I am taking a bit of a risk here because you did not explicitly say: "Yes, please do this" but I feel strongly that password generation should be done on the client when possible, so do other people in the community.

An additional benefit of doing this on the client-side is that, users can download password.html and use it locally without the need to run a local PHP server.

I am looking forward to hear what you think, @privacytoolsIO.

Hello, I have ported the server-side [password generator](https://github.com/privacytoolsIO/privacytools.io/blob/master/pw.php) to JS. It uses [_`RandomSource.getRandomValues()`_](https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues) which is cryptographically secure - it _should_ work in all [modern browsers](http://caniuse.com/#feat=getrandomvalues). I _could_ make it work in older-browsers by falling back to [_ISAAC_](http://burtleburtle.net/bob/rand/isaacafa.html) or something but that would not be totally secure. I also improved the UI and UX (imo): ![](https://i.imgur.com/2T3sMwH.gif) (The alert is a normal Bootstrap `alert alert-info` but due to the GIF's limited colour palette, it looks different...) I know you were concerned about users who disable JS. If someone visits this website without JS enabled, they are shown this message: ![](https://camo.githubusercontent.com/dfa40a997c56e5f49aaa8e379d3bca9272163d2c/68747470733a2f2f692e696d6775722e636f6d2f326430777871452e706e67) If you want, we can link those users the server-side password generator (e.g. append to that alert the sentence: _"If you want, you can use the server-side based solution that does not require JS"_.) I am taking a bit of a risk here because you did not explicitly say: _"Yes, please do this"_ but I feel **strongly** that password generation should be done on the client when possible, so do other people in the community. An additional benefit of doing this on the client-side is that, users can download `password.html` and use it locally without the need to run a local PHP server. I am looking forward to hear what you think, @privacytoolsIO.

privacytoolsIO commented

2015-08-16 09:53:07 +00:00

(Migrated from github.com)

Great work, alexbooker! I just changed a couple of things, please review it. Your new generator is already online, and old links redirect also to the new generator. Thanks :)

bookercodes commented

2015-08-16 09:56:20 +00:00

(Migrated from github.com)

Awesome!

There is only one more thing to do, I think - make the "Source code" link point to the source file. I'll do that now and commit directly to master. I'll ping you here once it's done so you can update the server.

_Awesome!_ There is only one more thing to do, I think - make the "Source code" link point to the [source file](https://github.com/privacytoolsIO/privacytools.io/blob/master/password.html). I'll do that now and commit directly to `master`. I'll ping you here once it's done so you can update the server.

bookercodes commented

2015-08-16 09:57:58 +00:00

(Migrated from github.com)

OK, @privacytoolsIO - I did it.

This repo is archived. You cannot comment on pull requests.

No reviewers