Is This Page Secure?
This page uses only javascript and html to generate passwords. There is no form
submission -- purposefully -- so there is no way for the server
to see or store your passwords (including the master). It would be a security risk to send passwords over an HTTP
(not HTTPS) connection, and also to store them whatsoever (even encrypted) on a server; not to
mention a violation of your privacy.
All settings except the master password are stored on your local PC as a cookie, so the settings will be the same next time you visit this page. If you'd like to store the master password also, check the Save master password checkbox. The master password will then be stored encrypted as an cookie on your local machine. Saving the master password, even though it's encrypted with AES encryption, is not completely secure; you are sacrificing some security for convenience. Theoretically, a hacker could determine your master password if he:
- Could access the encrypted master password and key, stored as cookie, on your PC
- Knew which l33t level you're using (if any)
- Knew to use AES-128 to decrypt the master password
Even then, a hacker wouldn't be able to use the master password to login anywhere if you only
use generated passwords for your website accounts. Don't forget, he'd also need to know your username(s) on any of those websites.
In any case, if this security risk concerns you, you
shouldn't check the "Save master password" checkbox. If you've checked it by mistake, simply clear your cookies or, alternatively, uncheck the Save master password box and navigate away from this page. This forces an empty value to be stored for the master password.
Don't forget, you can download this page and its dependencies as a zip archive, runnable on your own webserver.
|