Insecure random generation
Issue #3
resolved
On lines 190, 197, 266 and 316, Math.random() is used for generating parts of the password. This is completely insecure, results in very predictable outputs, and should never be used for something as security-sensitive as generating passwords. Instead, window.crypto.getRandomValues() and an algorithm like the one used in arc4random_uniform() should be used to generate secure random numbers within a given range.
Comments (3)
-
-
In particular, see pull request #1.
-
repo owner - changed status to resolved
Better late than never, right? Finally getting around to fixing some things on this project. Sorry for the delay and thank you for your contribution @FSMaxB
- Log in to comment
I've made a pull request that implements generation of uniformly distributed random numbers on top of window.crypto.getRandomValues().