This is alternative password generator for SuperGenPass. It can be used as a drop-in replacement with minor modifications to the parent project.
There are two questions when evaluating a password generator, how hard would it be to crack the generated password, and how hard would it be to determine the master password if you know one of the generated passwords? This fork is designed to make both of those tasks more difficult for an attacker.
First, we make it hard for an attacker to crack one of your passwords by generating a password that uses 85 characters rather than 64, and ensuring that all generated passwords contain some symbols.
Second, if one of your passwords does get cracked, the next problem is preventing the user from using the password for one site to determine your master password. In order to do that we use bcrypt to slow down any attempt to crack the master password, so that it will be virtually impossible to determine your master password.
npm install bcryptgenpass-lib
var bcryptgenpass = require('bcryptgenpass-lib');
// A string containing the user's master password.
var masterPassword = 'master-password';
// A URI or hostname of the site being visited, stripped of protocol, subdomains and paths
var URI = 'example.com';
// Generate the password.
var generatedPassword = bcryptgenpass(masterPassword, URI, {/* options */});
As shown above, bcryptgenpass-lib
optionally accepts a hash map of options.
- Default
''
- Expects
String
A secret password to be appended to the master password before generating the password. This option is provided for convenience, as the same output can be produced by manually concatenating the master and secret passwords.
- Default
12
- Expects
Number
Length of the generated password. Valid lengths are integers between 4 and 160 inclusive.
- Default
12
- Expects
Number
Work factor for the bCrypt algorithm. You'll want to experiment with this value to determine the maximum you can tolerate based on the length of time it takes the browser to calculate the password.
To use bcryptgenpass-lib
in browser environments, run gulp browserify
. Take
the created dist/bcryptgenpass-lib.browser.js
and include it on your page. Use
the global bcryptgenpass
as documented above.
bcryptgenpass-lib
employs the simple password hashing scheme of SuperGenPass. At its essence, it takes
a master password and a hostname and concatenates them together:
masterpassword:example.com
It uses this as the input for the bCrypt hashing algorithm. The resulting bcrypt hash is itself run through sha512, and then finally encoded with the z85 derivative of Ascii85.
For more detail, please see the (well-commented and concise) source code.
Hash functions are provided by crypto-js. All original code is released under the GPLv2.
A huge thank you to SuperGenPass author Chris Zarate who with his generous work has made maintaining good password policy insanely easy.