
Show HN: I built an online service to generate passwords,UUIDs and EFF wordlists - keenthinker
https://hipstapas.dev/
======
keenthinker
Hi everyone, Pavel here - the maker. I love to automate repetative tasks and
standardise processes with the help of software. I do believe that creation of
strong phrases, ids, etc. should be secure, transparent and reliable. That is
why I build Hipstapas - to have online single source of strong phrases (which
I already do use - dogfooding :-). Use cases that I can think of: \-
resetting/rotating passwords \- creating secrets, that only the client should
now \- password managers and the like \- adaptation for internal us

The service itself is a REST API build with pure JavaScript (on top of
node.js). It concists currently of 3 endpoints (FAAS) hosted on vercel
(formerly zeit). There is also an interactive playground build with
Bootstrap/HTML/JavaScript (currently only for passwords, uuid and word lists
are comming). Custom policy features is also on its way - this could be
something that could be probably a paid service if the concept is at all of
interest.

Let me know if you have any questions. Any feedback is much appreciated!

------
zzo38computer
This may be helpful to those who want online services to do these things, but
I prefer to use software on my own computer to generate UUIDs and that other
stuff.

Also, I think the Content-type header of the API is set incorrectly; it is set
to text/html but probably should be text/plain instead.

~~~
keenthinker
Thank you for your feedback.

I can understand your point of view and I do believe, that it will take time,
to trust online services that deliver such sensitive data as passwords and
ids. That is why it is open source - to be transparent from the beginning.
Nevertheless it seems to me that more an more (micro) services will emerge and
replace a lot of the "classic" software that we are used to and accustomed to
have offline.

Regarding the "offline uuid" \- currently working on creating a npm package
for offline usage. Will be available soon.

Regarding the Content-Type: it is set currently automatically to "text/html"
when generating only one item (no matter if it is password, uuid or word list)
and to "application/json" when generating more than one item. The idea was
that the default option for each endpoint (one item, default settings) should
deliver a result that can be used/copied immediately and not be formatted, if
the api was called in the browser. I guess it would be fine to set text/plain
when delivering one item. Thanks for the hint.

------
ZinniaZirconium
Nice. But how do I know you don't save all the passwords for abuse later? ;)

~~~
keenthinker
Thank you! A good and understandable question. :-)

The API is deployed from GitHub directly (main branch), so the code in GitHub
is what is online. There is no logging, no tracking, nothing at all. The idea
is to build trust with the users, because everyone can check that nothing is
logged. I hope I can do that! :)

I am also open anytime for security reviews of the vercel project if desired
(there are no log sinks configured, not even for statistics).

Last point: even if some web application uses the REST API to generate
phrases, IMO it is impossible to correlate web address (ip), username and
password/uuid/wordlist, even if something is logged (the only thing that could
be logged would be IP address). Even if you could get the address of the
service from the ip (for example nslookup reveals, that for service.domain.com
the phrase "passWORD1!" was generated on 28. july 2020), you need to know for
what purpose and/or functionality (login, log, whatever) the phrase was
created. Assumming it was for login, you need to check all username + this
password combinations, and username is unknown, or all reset password, or ...
The query to generate the password containts only generation parameters and no
further details. Hope this answer makes sense and helps :)

