

My startup project: pwgen.net - meddah
http://pwgen.net

======
drewcrawford
So... I'm unlikely to use a website for password generation. Even if
everything is done in JS (which from a cursory glance seems to be the case
here), that could easily be changed without me knowing it. I think that is a
showstopping issue for this app, because any competent administrator will
avoid handing out passwords, and nobody wants to read through your sourcecode.
You need to seriously rethink the trust issues here.

Other than that, please get someone who is a native English speaker to look
over your text. I haven't the foggiest idea what some of it means.

~~~
ivank
> Even if everything is done in JS (which from a cursory glance seems to be
> the case here)

It's not. It downloads passwords from the server.

------
streety
The advisability of using this tool has already been discussed so I'll ignore
that aspect and critique the tool as is . . .

\- It isn't clear what's the significance of the master and slave pages. I
know you have a paragraph of text on the slave page but I think that needs to
be the first thing you see. It's a feature which distinguishes you from many
other services. Shout about it.

\- Your guidelines state that a good password will, "Be seven or fourteen
characters long, due to the way in which encryption works. For obvious
reasons, fourteen characters are preferable." The default on the form is 8
characters. Try to be internally consistent. My knowledge of encryption is
fairly weak, why is 7 or 14 characters best?

\- Your privacy statement says, "API page only permitted SSL(https) requests."
I seem able to access the page using plain http.

\- What is the significance of "You generate password 50 times in the an hour.
Because, we check SPAM requests." The way I'm reading it you only generate 50
sets of password each hour and if more than 50 people come to your site you
just serve the same set of passwords again. I doubt this is correct but that's
the way I read it.

~~~
meddah
Hi streety,

Thanks your advise and points.

\- pwgen.net was going to work just https. but I didn't buy SSL certificate.

\- I would this feature. I forgotted. It's feature not work. "You generate
password 50 times in the an hour. Because, we check SPAM requests."

\- It's sure 7 or 14 character not best. It's must be special chars and number
values for brute force method.

------
trevelyan
It is not a challenge to generate strong passwords. It is a challenge to
remember them.

~~~
emremp
absolutely right :)

------
psyklic
Isn't this the second post lately on nice mini-tools which probably can't
easily translate into a startup? There is a difference between just a web app
and a business, right?

~~~
swombat
Yep. And again, there's no business here.

A start-up is a small business with a lot of growth potential.

It needs:

1) Revenue streams

2) Revenue streams

3) Revenue streams

If it's missing any of these three, it is not a business, and hence not a
start-up.

PS: Sometimes the revenue streams are not active yet, but there needs to be a
way to make money from it!

~~~
meddah
You right! Thanks

------
ralph
I use some variation on

    
    
        tr -dc 'A-Za-z0-9' </dev/urandom | dd bs=8 count=1 2>/dev/null; echo
    

when I want a quick throw-away password.

~~~
tptacek
Try:

head /dev/urandom | md5

~~~
ralph
head may read an awful lot from /dev/urandom before it exits. ;-) And md5sum
would limit my password to 0-9a-f whereas with tr(1) I get to choose the
character set.

~~~
tptacek
MD5 is giving you a 128 bit random number. That's an AES key. The character
set isn't going to make the password weak.

~~~
zain
Of course it will, since the password is stored as a string. It may be a
random set of 0-9a-f, but a brute force attack will still only need to use
those characters. Compare that to a password of the same character length
using any possible characters and you can see that it is clearly weaker.

~~~
tptacek
You need to re-read Shannon. The information content of a 128 bit random
integer encoded in 32 alphanumeric characters is 128 bits. You cannot feasibly
brute-force a 128 bit random number: if you could guess 1000 times per second,
it would take you 323708492124180425669115874649 years.

[edit: i got ((((((2^128)/1000)/60)/24)/365)/2) wrong the first time]

~~~
zain
I understand that. I'm not disputing the fact that a 128 bit random integer is
hard to guess.

The problem, however, is that it is being stored as a string. As such, if you
decide to use the 32 character hex representation as a password, you're
essentially storing a 32 character string that can only consist of 0-9a-f.

A random 32 character alphanumeric string would correspond to a random integer
much larger than 128 bits, and as such, would be much stronger. There's no
benefit to go with a weaker password.

~~~
tptacek
No offense, but I think this argument is pretty silly. "dd" off 16 bytes from
/dev/urandom and base64 it. You win; you just saved 7 characters.

------
meddah
This is mini tools. And This application don't keep password. This is source
code. I think write with js this app but maybe firefox add-on or iphone plugin
etc usable api can require.

Source Code: <http://code.google.com/p/pwgen-net/>

~~~
Hexstream
... Are you using Babelfish (translator) or something?

~~~
meddah
No I'm not using babelfish. You right! Sorry for my english. it's very very
bad, I know, but I'm working to learn the English.

------
mynameishere
The _real_ security problem relates to social engineering, which this website
could quite well be exploiting. Therefore, there is no reason for this. Take
your tech skills and move onto something that corresponds to market
requirements.

------
rw
1) Why do I need to enable Javascript to use even the most basic functionality
of your website?

2) Why would anyone use this? The security implications are obvious and
severe.

Congrats on building it, though. Certainly a useful exercise.

~~~
sgk284
I'm not the author, but I assume he wants everything client side. If I'm going
to have a web site generate a password for me, I certainly don't ever want it
touching their server in the process.

------
mwerty
A firefox plugin might increase my comfort level in using something like this.

~~~
ivank
You want to use passwords generated by someone else's server, but first you
want to install a Firefox extension, which would give them access to all your
existing passwords and cookies?

~~~
PStamatiou
i think he meant password generators in general.. and not a ffox extension
that talks to this site. ?

~~~
mwerty
Yup. I don't want any part of the site to be aware of my password.

------
sysop073
I'm not really sure why you'd ever want a website to do this, even client
side. There are tools like apg that do exactly this; what does the javascript
version offer?

------
thomasswift
Bookmarked! It's nice to have a generator for passwords.

you have a small typo: diffrent should be different

Cheers :)

------
Tichy
I really don't see the point?

------
rob
Seems like goodpassword.com.

~~~
sc
Except without the help of mnemonics.

Passwords should just be long and easy to remember.

ILoveEating2Baguettes!InTheSpringtime is going to be better than D72gfD@1.

------
mattmaroon
You need a bookmarklet.

