rndphrase
v0.9.5
Published
This small module will replace your everyday passwords with secure per domain passwords.
Downloads
2
Maintainers
Readme
RndPhrase.js
RndPhrase.js is a javascript module to autogenerate secure passwords. It is a library, and is not meant to be used stand alone although it can easily be used with node.js. The purpose of RndPhrase is to keep your password secure by creating a hash of the password which is sent to the server instead of a plaintext one.
This fixes some common issues that are with passwords.
- Shoulder surfing might reveal the password you type, but not the actual password sent to the server.
- If the dabatase is compromised. Your actual password is not compromised even though it might be stored in cleartext.
- Passwords are never used cross domain as the domain is part of the hashing algorithm. Thus, even though you use the same password more than one place, the compromise of one site doesn not lead to a general compromisation of your password.
This might be more obvious with an example.
First you decide a seed, this is a secret that only you know. For the purpose of this example lets use the seed "nobodyknowsmyseed"
Choose a password that you wish to use. We'll just use "secret".
Now here comes the magic... Let's try to make a password for github.com
var r = new RndPhrase({ seed: 'nobodyknowsmyseed', uri: 'github.com', password: 'secret', }); console.log(r.generate()); //output 1,d$[xtd%S&1b8%9
So far so good, this looks like password that is hard to guess. Even if this is stored hashed in a database, it doesn't look like a password anybody in their right mind entered. Now let's create one for facebook.com
var r2 = new RndPhrase({
seed: 'nobodyknowsmyseed',
uri: 'facebook.com',
password: 'secret',
});
console.log(r.generate()); //output 8a'4}+J Ds1%l ua
- Wow! We used the same credentials, but the output was two completely different things - and all we changed was the domain!
How it works
RndPhrase uses three pieces of information, a seed, a password and a uri. The seed is supposed to be stored in the browser as something that is typed in once. Remember this one if you switch systems. ;) The password is that thing that you type in on your keyboard which, of course, should not be reused even though RndPhrase fixes this for you. The uri is a unique string used to determine the place that you are trying to log in to. This should automatically be generated by a browser plugin (if you use it on webpages). The uri is a string such that you can define a user id together with the name, if you have multiple users on the same webpage. E.g. github.com/privateuser and github.com/workuser.
Usage
Import RndPhrase.js as a module in your source.
RndPhrase = require('rndphrase.js');
Instantiate the object with the minimum configuration requirements
var r = RndPhrase({
seed: 'nobodyknowsmyseed',
uri: 'example.net'
});
Invoke the generate method
r.generate('secret'); // 2JaL3{9e*o>T5x9I
Subsequent calls to the generate method yields new passwords
r.generate(); // Q^RkA%kx){AI9`0!
r.generate(); // Rucn;5;^maAv08X|
Configuration
It is possible to configure RndPhrase.js to enforce restrictions on the generated passwords to adapt use for websites that have misunderstood password security. Everything is passed in a JSON object with following options
seed
The seed used. Expected to be a string, but can be everything that can be hashed by the hashing algorithm. Should be entered manually once and saved by the plugin using the library. Remember not to save in plaintext. ;)
Mandatory, does not have a default.
uri
A string specifying the location, should be generated automatically by the plugin using the library.
Mandatory, does not have a default.
password
The password entered by the user. Should be entered manually, do not save this anywhere.
Mandatory, does not have a default.
size
An integer specifying the smallest possible size of the hashed password.
Defaults to 16.
version
Integer. Used for stupid websites that demand you change passwords frequently.
Defaults to 1.
capital
Configuration for capital letters. Set to false to disable.
Default:
{
min: 1,
max: -1, //infinite
alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
}
minuscule
Configuration for minuscule letters. Set to false to disable.
Default:
{
min: 1,
max: -1, //infinite
alphabet: 'abcdefghijklmnopqrstuvwxyz'
}
numeric
Configuration for numbers. Set to false to disable.
Default:
{
min: 1,
max: -1, //infinite
alphabet: '0123456789'
}
special
Configuration for special symbols. Set to false to disable.
Default:
{
min: 1,
max: -1, //infinite
alphabet: " !\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
}
Donate
Help making this software better
BTC: 1NPnXF6bUBx9GJCnHkWNN5hpNQQAbWnpPP