
Show HN: A simple password generator - robinhood
https://simplestpasswordgenerator.com/
======
phs2501
Why is it telling me to press Command+C to copy the password on my Linux
machine?

Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0

And yes, anybody who would use a password that was generated on a foreign
server is very silly indeed. The password should be generated locally in the
browser.

Other than those things the visual design is nice at least.

------
robinhood
The author here.

Sorry guys if I completely missed the points regarding the security. I just
wanted to create a cool tool for me, and I didn't think too much about storing
passwords or having enough entropy or whatever.

I've build this because I store all my passwords with VIM instead of the
popular 1Password and I need to generate passwords most of the time.

I'll update the tool to make it client-side only.

~~~
lawl
Sorry, to be an asshole, but I'll use pwgen[0] over some website that gives me
a password everyday. Even if it's client side only it's still a bad idea.

[0]: [http://linux.die.net/man/1/pwgen](http://linux.die.net/man/1/pwgen)

~~~
robinhood
Thanks for your constructive feedback.

------
agd
A few issues:

\- password generated server-side (why?)

\- mixed http/https content

\- no info on how the password is generated

~~~
Vespasian
first point is enough to kill this and similar services for all times.

Nice simple UI though. :)

------
robinhood
So.

The tool is now 100% front-end. I used the library @mykii posted below
([https://github.com/mykiimike/jen](https://github.com/mykiimike/jen)) and
there should not be any HTTPS errors now.

The code is even on Github
([https://github.com/djaiss/simplestpasswordgenerator](https://github.com/djaiss/simplestpasswordgenerator))
- so you can see that I don't do anything nasty with our precious passwords.

~~~
lawl
> _Math.random()_

That's just not acceptable, even as a fallback, I'm sorry, the whole idea of
this service is just horrible. Please don't use this.

~~~
mykii
I talking about failsafe not fallback, U will never reach the condition on
browsers or nodejs. This mimic is there just to avoid a null return from
.password() (generaly not checked by user) which could be more dangerous.

~~~
lawl
Right because completely aborting would break things, who cares about
security?

This is just horrible and I honestly hope nobody will ever use this, I'm
sorry.

------
gotoSander
Maybe generate the passwords client-side instead of server-side?

------
VeejayRampay
Quick question, it seems that the generated passwords never make use of
special characters (only digits and letters). I feel that it restricts their
entropy, doesn't it? I am not a security expert by any means, though, just
genuinely curious.

~~~
dimino
Some terrible websites limit the characters you can supply for passwords (for
telephone password input reasons, sometimes).

Also, someone who's trying to take advantage of a low-entropy password
probably doesn't know what the character-set of the password actually is. In
other words, they'd have to know _this_ is where your password came from in
order to recognize that special characters are off the table.

------
tugberkk
I really liked the design, and since it is done only in front end right now, I
also liked the idea.

It may not be suitable or the perfect solution for hackers like in this
website, but we should remember that incredible number of people are using
"password1" and "123456" and alikes. This website can really help to those who
are not very well at using computers. Oh, but they will probably write these
password onto a post-it and stick it on their monitor, but an effort is an
effort :).

------
AndyKelley
Why would I go to a website to make a password when I could avoid leaving my
terminal?

alias mkpass='head -c 9 /dev/random | base64'

~~~
enlightenedfool
What's the Windows equivalent for that? (without Cygwin or likes)

~~~
timon999
'head -c 9 /dev/random | base64' works in my cmd.

~~~
yellowapple
Since when does Windows have /dev, let alone /dev/random?

~~~
pki
cygwin.com

~~~
yellowapple
The parent of the comment I responded to requested something without Cygwin.

------
brianhempel
I like the colors.

Most browsers these days implement window.crypto.getRandomValues() so you
could use that and do the generation client-side in Javascript. That way, I
don't have to trust that you're not storing these passwords in preparation for
a later attack.

------
nascro
I've been using [http://makemypassword.com](http://makemypassword.com) for a
few years. The Copy my Password button copies the generated password to your
clipboard instead of using a keyboard combo.

------
mykii
"Jen is a portable and safe Javascript password/number generator"
[https://github.com/mykiimike/jen](https://github.com/mykiimike/jen)

It works both on browsers and nodejs.

~~~
robinhood
Thanks. I ended up using it in the new version.

~~~
mykii
Cool :]

------
kolev
I've always wondered if these services store the passwords...

------
siliconc0w
easy bash version::

function password(){ cat /dev/urandom | base64| tr -dc 'a-zA-Z0-9' | fold -w
${1:-20} | head -n 1 }

------
matthijs_
HTTPS?

~~~
robinhood
Oops I forgot to link the https version.

[https://simplestpasswordgenerator.com/](https://simplestpasswordgenerator.com/)

~~~
Vespasian
I like your tool from a UX point of view, but nothing can fix the security
issue that you use passwords created on a website which could at any time
choose to store them.

PAAS (Password as a service) can and will never be a thing ;)

~~~
digitalsushi
I actually had an idea for password as a service.

The security implications are all rubbish, and obviously it fails if the site
goes away, but hear me out and then offer a local way of doing this, cause I'd
love it:

Let's pretend you have some set of computer files that are distracting you. (A
video game, or old high school/pre-divorce/estranged family photo albums, this
could be anything). You want to keep them, but you want to restrict your own
access to them.

Password as a service: you go to some little widget site, enter an email
address, a date, and it gives you a password. Unless you have a photographic
memory, you just paste it into a protected archive, forget it, and then wait
until the date to get emailed a password reminder. Until then, you are locked
out of your archive and there's nothing to be done until that day.

I haven't figured out a clever way of this that can't be defeated if the
password is generated locally.

