atoponce / webpassgen Goto Github PK

There are 22 characters of different byte sizes:

• " ": U+0020 (1 byte)
• "᠎": U+180E (3 bytes)
• " ": U+2000 (3 bytes)
• " ": U+2001 (3 bytes)
• " ": U+2002 (3 bytes)
• " ": U+2003 (3 bytes)
• " ": U+2004 (3 bytes)
• " ": U+2005 (3 bytes)
• " ": U+2006 (3 bytes)
• " ": U+2007 (3 bytes)
• " ": U+2008 (3 bytes)
• " ": U+2009 (3 bytes)
• " ": U+200A (3 bytes)
• "​": U+200B (3 bytes)
• "‌": U+200C (3 bytes)
• "‍": U+200D (3 bytes)
• " ": U+202F (3 bytes)
• "⁠": U+2060 (3 bytes)
• "　": U+3000 (3 bytes)
• "": U+FEFF (3 bytes)
• "󠀠": U+E0020 (4 bytes)

At 22 unique whitespace characters, that's log2(22) ~= 4.459 bits per character. That means we should expect these character counts for the following minimum security levels:

• 56 bits: 13 characters
• 64 bits: 15 characters
• 72 bits: 17 characters
• 80 bits: 18 characters
• 88 bits: 20 characters
• 96 bits: 22 characters
• 104 bits: 24 characters
• 112 bits: 26 characters
• 120 bits: 27 characters
• 128 bits: 29 characters

I have read your blog post with great interest and have tried the tool.

You might be interested in this blog post

https://el-tramo.be/blog/diceware-nl/

that is describing additional (better?) lists for the Dutch language.

I suspect you will at least take a look and hopefully include this in your valuable tool.

Consider the following passphrase created from the Beale wordlist in the Diceware container:

privy m-16 suit saul fact kicks ooze

When checking the "Hyphenate" box, the passphrase then becomes:

privy-m-16-suit-saul-fact-kicks-ooze

If un-checking the "Hyphenate" box, the hyphen in the "m-16" word is lost:

privy m 16 suit saul fact kicks ooze

Probably the best way to fix this, is before un-hyphenating the passphrase, to check for hyphenated words in the selected wordlist, store any matches in a variable, and after removing all the hyphens, to restore the hyphenated word to its correct location.

The original Bulgarian word list, after using OCR, diff, and other tools that is currently checked into Github is here: https://ae7.st/p/5ah

To make this a bit more manageable, here it is split into 12 files:

1. List 1
2. List 2
3. List 3
4. List 4
5. List 5
6. List 6
7. List 7
8. List 8
9. List 9
10. List 10
11. List 11
12. List 12

I downloaded the code and opened index.html in Safari on OSX. Forms show up where I can select an option and press the "Generate" button, but clicking that button does nothing. I have javascript enabled. I'm suspecting that Safari by default blocks file:// javascript or something like that. If this is a common problem with Safari and this web page, it would be nice if the README file mentioned it and how to fix it.

Now with "Verb, Adjective, Noun" as a valid passphrase generator, it's possible that the passphrase extends 5 lines at 128 bits, and is common to be 3 lines at 80 bits. However, a "Base94" password will only ever occupy a single line. The UX isn't great here. Instead, adjust it such that the password is vertically aligned in the <div>.

It would be useful to have an English list that balances these three goals:

• minimizes memorization effort
• maximizes the chances that the word will be familiar to most speakers
• keeps entropy at an acceptable level

I'm not sure of the best way to accomplish this. I'm envisioning an Alternate list that isn't "English (all)", but is instead a subset of the wordlists that make up that list. Perhaps called "English (common)" or "English (broad)" or "English (most)" or something like that. Specialized lists (like Star Trek, Simpsons, etc.) would be excluded.

Initial source lists might be:

• All EFF English lists
• Bitcoin English
• English (NLP)
• PGP
• Pokerware
• Wordle

... but with all capitalized words lower-cased (which would eliminate having to remember that words 2 and 5 are capitalized, etc., but that's up for discussion) and then deduplicated. My hope is that this will produce a list in the 20K range or higher.

Any future general (not topic-specific) English wordlists could also be added.

Mirrored a local copy and clicked around to try this out. When clicking Dark Mode, getting a:
Uncaught DOMException: Failed to read the 'rules' property from 'CSSStyleSheet': Cannot access rules at :1:25 error on latest chrome.

Upon review this appears to be due to the accessing of the stylesheet interface (css.rules[0]) locally (which for whatever reason, they decided should be a violation of CORS even when the index.html is served via file://).

Being what the function is doing with Dark Mode, this would seemingly be easily fixed by including both dark and light mode in the stylesheet and just activating using a selector. Happy to do a PR if you'd like.

(For many apps this wouldn't really be an issue, but given the security concerns with PW generation, it's probably fairly common for people to download and attempt to run locally without standing up a server. At first glance, don't see any other issues that would would make this not run perfectly fine locally?)

Refs:
https://stackoverflow.com/questions/48753691/cannot-access-cssrules-from-local-css-file-in-chrome-64/49160760#49160760
https://stackoverflow.com/questions/49161159/uncaught-domexception-failed-to-read-the-rules-property-from-cssstylesheet

Instructions to run the password generator locally on an iOS device from the ZIP file downloaded directly from GitHub.

Prerequisites:

• Install the Readdle Documents app on your iOS device

Workflow:

Open the Safari browser.
Open the demo site at https://ae7.st/g/.
Scroll to the bottom and click the download link (insert screenshot).

This will open the releases page from the GitHub repository.
Click the link that says 'Source code (zip)'.

This will open the zip file in the Documents app.
Click the zip file, to expand it into it's own folder.

Move into the folder and click the Index file. This will open the local copy of the file.

Latin Extended is now showing all characters correctly on Android.

In my Chromium browser on one desktop, I see the following:

Along with the bits of entropy, and the character count, It might be informative to include a compact expression of how many "elements" there were in the source list ("7777 elements").

This could help shape intuitions for the layperson.

(There may be another term that is better than "element". I led with that because some of the lists are words, some are pseudo words, some are characters, etc.)