Insecure random generation

Issue #3 resolved
SN4T14 NA created an issue

On lines 190, 197, 266 and 316, Math.random() is used for generating parts of the password. This is completely insecure, results in very predictable outputs, and should never be used for something as security-sensitive as generating passwords. Instead, window.crypto.getRandomValues() and an algorithm like the one used in arc4random_uniform() should be used to generate secure random numbers within a given range.

Comments (3)

  1. FSMaxB

    I've made a pull request that implements generation of uniformly distributed random numbers on top of window.crypto.getRandomValues().

  2. John VDL repo owner

    Better late than never, right? Finally getting around to fixing some things on this project. Sorry for the delay and thank you for your contribution @FSMaxB

  3. Log in to comment