Gathering detailed insights and metrics for micro-password-generator
Gathering detailed insights and metrics for micro-password-generator
Utilities for password generation and estimation with support for iOS keychain
Installations
npm install micro-password-generatorDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Node Version
18.6.0
NPM Version
8.14.0
Score
72.8
Supply Chain
98.9
Quality
74.9
Maintenance
100
Vulnerability
100
License
Contributors
1
Unable to fetch Contributors
Languages
2
TypeScript
JavaScript
TypeScript (62.79%)
JavaScript (37.21%)
Developer
paulmillr
Download Statistics
Total Downloads
641
Last Day
1
Last Week
3
Last Month
20
Last Year
329
GitHub Statistics
18 Stars
21 Commits
1 Forks
4 Watching
1 Branches
1 Contributors
Bundle Size
4.97 kB
Minified
2.15 kB
Minified + Gzipped
Sponsor this package
Maintainers
1
Package Meta Information
Latest Version
0.2.0
Package Id
micro-password-generator@0.2.0
Unpacked Size
32.79 kB
Size
9.38 kB
File Count
7
NPM Version
8.14.0
Node Version
18.6.0
Total Downloads
Cumulative downloads
Total Downloads
641
Last day
-50%
1
Compared to previous day
Last week
-62.5%
3
Compared to previous week
Last month
900%
20
Compared to previous month
Last year
232.3%
329
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
3
Versions
micro-password-generator
Utilities for password generation with support for iOS keychain.
- Maps bytes to passwords using masks
- No dependencies
- Supports iOS / macOS Safari Secure Password from Keychain
- Provides ZXCVBN Score for password bruteforce estimation
Examples
1import * as pwd from 'micro-password-generator'; 2import { scrypt } from '@noble/hashes/scrypt'; 3// Use cryptographically secure RNG. Do not use Math.random(), it's not secure 4import { randomBytes } from '@noble/hashes/utils'; 5 6(async () => { 7 const seed = scrypt('main-password', 'user@gmail.com', { N: 2**18, r: 8, p: 1 }); 8 9 // Deterministic password 10 console.log(pwd.secureMask.apply(seed).password); 11 // Secure random password 12 console.log(pwd.secureMask.apply(randomBytes(32)).password); 13 // wivfi1-Zykrap-fohcij, will change on each run 14 15 // Or using mask, if there is specific requirements 16 console.log(pwd.mask('@1Av').apply(seed).password); 17 // "9Sy 18 19 // Mask statistic (napkin math attack cost estimation) 20 console.log(pwd.mask('Cvcvcvc').estimate()); 21 /* 22 { 23 score: 'somewhat guessable', // ZXCVBN Score 24 // Guess times 25 guesses: { 26 online_throttling: '1y 115mo', // Throttled online attack 27 online: '1mo 10d', // Online attack 28 // Offline attack (salte, slow hash function like bcrypt, scrypt, PBKDF2, argon, etc) 29 slow: '57min 36sec', 30 fast: '0 sec' // Offline attack 31 }, 32 // Estimated attack costs (in $) 33 costs: { 34 luks: 1.536122841572242, // LUKS (Linux FDE) 35 filevault2: 0.2308740987992559, // FileVault 2 (macOS FDE) 36 macos: 0.03341598798410283, // MaccOS v10.8+ passwords 37 pbkdf2: 0.011138662661367609 // PBKDF2 (PBKDF2-HMAC-SHA256) 38 } 39 } 40 */ 41})();
Mask control characters
| Mask | Description | Example |
|---|---|---|
| 1 | digits | 4, 7, 5, 0 |
| @ | symbols | !, @, %, ^ |
| v | vowels | a, e, i |
| c | consonant | b, c, d |
| a | letter (vowel or consonant) | a, b, e, c |
| V | uppercase vowel | A, E, I |
| C | uppercase consonant | B, C, D |
| A | uppercase letter | A, B, E, C |
| l | lower and upper case letters | A, b, C |
| n | same as 'l', but also digits | A, 1, b, 2, C |
| * | same as 'n', but also symbols | A, 1, !, b, @ |
| s | syllable (same as 'cv') | ca, re, do |
| S | Capitalized syllable (same as 'Cv) | Ca, Ti, Je |
| All other characters used as is |
Examples:
- Mask:
Cvccvc-cvccvc-cvccv1will generateMavmuq-xadgys-poqsa5 - Mask
@Ss-ss-sswill generate:*Tavy-qyjy-vemo
Design rationale
Most strict password rules (so password will be accepted everywhere):
- at least one upper-case character
- at least one lower-case character
- at least one symbol
- at least one digit
- length greater or equal to 8
These rules don't significantly increase password entropy (most humans will use mask like 'Aaaaaa1@' or any other popular mask),
but they means that we cannot simple use mask like
********, since it can generate passwords which won't satisfy these rules.
What do we want from passwords?
- length: entering 32 character password for FDE via IPMI java applet on remote server is pretty painful. -> 12-16 probably ok, anything with more characters has chance to be truncated by service.
- readability: entering '!#%!$#Y^&*#%@#!!1' from air-gapped pc is hard.
- entropy:
- 32 bit is likely to be brutforced via network
- 64 bit: 22 days && 1.6k$ at 4x V100: https://blog.trailofbits.com/2019/11/27/64-bits-ought-to-be-enough-for-anybody/ but it is simple loop, if there is something like pbkdf before password, it will significantly slowdown everything
- 80 bits is probably outside of budget for most attackers (btc hash rate) even if there is major speedup for specific algorithm
- For websites and services we don't care much about entropy, since passwords are unique and there is no re-usage, however for FDE / server password entropy is pretty important
- no fancy and unique mask by default: we don't want to fingeprint users
- any mask will leak eventually (even if user choices personal mask, there will be password leaks from websites),
so we cannot calculate entropy by
******mask, we need to calculate entropy for specific mask (which is smaller). - Password generator should be reversible, that way we can easily proof entropy/strength of password.
License
MIT (c) Paul Miller (https://paulmillr.com), see LICENSE file.
No vulnerabilities found.
No security vulnerabilities found.