How Secure are JavaScript Password Generators?

Many people use online services to generate secure passwords.

There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g. web server), this is supposed to keep someone from getting a hold of your password.

Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?

Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.

the [Math.Random] JavaScript function  –  Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results. It is even possible to predict the output of Math.Random.

This means that someone could potentially generate the same password that you just generated a week before. Not the best for people who want to have secure passwords.

A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).

Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise.

web browser add-ons  –  Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).

computer malware  –  This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).

While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.

Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.

Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.

surveillance software  –  Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.

The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.

Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.

So does this mean that I should never use any online password generators at all?

No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet, does not really provide a lot of extra security.

Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.


Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software

Happy 4th of July (2019)!


Posted in Holiday

Popular Misconceptions About VPNs

Many people use VPNs for their Internet connections, in the attempt to prevent their Internet Service Providers (and others) from seeing what they do while on the Internet, and sometimes to prevent website owners from knowing who is visiting their website.

These VPN services tunnel all of your web traffic (everything you do with your Internet connection, not just data from web browsing) through their servers.

( Of course, VPNs are also used for connecting two remote locations together over the Internet, but that is outside the scope of this post. )

While a VPN service can potentially help to protect your privacy, there are many myths people believe about VPNs.

1 : VPNs will prevent hackers from hacking into my computer

First off, if your computer has an open attack vector facing the Internet, you will eventually get hacked sooner or later.

Secondly, VPNs do not stop malware from infecting your computer (thus allowing a hacker into your computer), nor does it prevent a hacker from learning your real IP address and trying to attack your computer directly.

2 : no malware can get onto my computer while using a VPN

As mentioned above, VPNs do not stop malware from infecting your computer. The VPN service will download that malware-infested file just as happily as your ISP would have.

Your best defense against malware, is a good anti-virus/anti-malware application (e.g. Malwarebytes is a good one), and using common sense when downloading something off the Internet (e.g. does the website you are downloading the file from look sketchy?).

3 : VPNs will get past all geo-restricted websites

While VPNs can successfully access geo-restricted web content, some content providers (e.g. Netflix and Steam) disallow VPNs of any kind (according to their Terms of Service). However telling someone that VPNs will always work with geo-restricted websites is just plain false information.

4 : every “no log” provider really does not log anything

As I have said before on my blog, I am sure there really are VPN providers that honestly do not log anything that can easily trace back to a specific user. However, how do you know that they will not start logging without your knowledge? You don’t.

Also as an IT administrator, I know that not logging anything is pretty much impossible, since logs are necessary to help fix critical problems. It is up to you to decide who to believe when it comes to “no logs”. After all, you are using their network, not your own. Ultimately you are just taking their word for it.

In addition, the VPN’s upstream ISP most certainly will log all traffic. So by using traffic analysis attacks, your real IP may be uncovered anyway.

The website below has some interesting information about VPN services who claim to protect your privacy while doing the opposite.

Disclaimer: I have no control over the content on the website listed below. I am just adding it here for anyone who is interested in what it has to say.

https://vpnleaks.com/

5 : I can be an outlaw online, since I use a VPN

No VPN will completely protect you if you are doing something to attract the attention of a large, well-connected organization (e.g. a government agency). So if you are thinking about doing something “out-lawish” online (via a VPN), you better just forget it. You will get caught sooner or later.

6 : I am completely anonymous to my VPN provider

This one can be semi-true. There are VPN providers that only require an email and can be paid in cryptocurrency (e.g. Bitcoin). However, unless proper steps are taken, your Bitcoin payments can still be tracked.

Also, your VPN provider will know your real IP address, which could (please notice I said “could” not “will”) be leaked to certain people which may then expose your identity.

7 : anything I send over a VPN is completely secured from prying eyes

VPNs cannot always keep your information safe. All you are doing by using a VPN is making the VPN your “new” ISP. If you ever use a HTTP (non-encrypted) website, both the VPN provider and anyone else that is listening (after the data leaves the VPN server), can then intercept the data you sent.

Now please keep in mind that this mainly applies to un-encrypted web traffic (e.g. HTTP, FTP, Telnet, non-secured SMTP & IMAP, etc.)

Adding to the above info, you must remember that a VPN service does not provide point-to-point security. What I mean is that if you access my blog (via HTTPS) through a VPN, your initial connection is encrypted both at the browser and the VPN connection you have established.

However that extra security stops at the VPN itself. Whatever you transmitted to my server gets sent out as if you never used a VPN to begin with after it leaves the VPN’s server (hope that makes sense to you). This means by using a VPN service you only are protecting yourself from 1) your ISP or untrusted network (e.g. coffee shop Wi-Fi) 2) the remote computer knowing your real IP address and 3) circumvent Geo restrictions. If that is all you care about, then you should be ok.

8 : all VPN services have full control over their servers

While it is true that most (if not all) VPN services own their own servers (dedicated or VPS), this does not necessarily mean they have full, complete control over their servers.

Why? Simple. Unless they acquire their own data-center, the VPN company has no real idea of what is happening to their servers. This may not bother you, but it is a potential vector for a security breach of customer information.

9 : with a VPN, you will be anonymous everywhere you go online

There are three problems with this idea.

First, there is no way to be 100% anonymous online. That is a myth.

Secondly, assuming your VPN is not a bad actor itself, the minute you login into a personal account (e.g. Facebook, Twitter, Google, Bing, etc.), you will have just identified yourself to the remote computer.

Third, a VPN service cannot stop web tracking methods like tracking cookies and web browser fingerprinting.

Now you may be asking, “How does this allow someone to track my online visits?”  Good question. A web browser fingerprint is the identification of someone’s web browser in an attempt to track you regardless of what IP address you are coming from.

Basically your web browser is probed to determine what add-ons you have installed, what fonts are installed on your computer, what video card your computer has (via WebGL), PNG hash, what operating system you are using, your web browser’s 2D canvas, etc. All of this information is combined to form a fingerprint of your web browser.

If you have ever visited a website (without using a VPN) and later on you visit the same website (this time, using a VPN), they can still have a pretty good guess that it is you just by looking at your browser fingerprint you left the last time you visited (without the VPN).

Web browser cookies work in a similar manner. If you do not delete your cookies every time you exit a website, later on when you visit that same website again, they can read the cookie they placed in your web browser and know it is you, even if you are connecting under a different IP address via a VPN service.

Now if the website is say an online retailer, then cookies can be a good thing (your online shopping cart will use cookies, and probably will not work without them enabled). So it depends upon why the particular cookies are used.

(web cookies used for good – online shopping cart, logging into your webmail | used for evil – tracking your visits to spy on you and sell the collected information to 3rd-parties…or worse).

10 : “my Internet service gets 100/10 (download / upload) speed, so the VPN service I purchased will give me the same download/upload speed”

This one can sometimes be true, but usually isn’t. You have to understand that there are usually so many customers on any particular VPN server, that the bandwidth is strained between all the users.

If you have 200-300 people each using 10 Mbps of download bandwidth, there is not going to be much left for anyone else to use, especially if the server does a max of 1000 Mbps download.

If you have a 100/10 Internet service, you are doing good if you get 50/8 on a VPN. I am not saying that all VPN servers are slow, but in my experience, most of them are. If you have very fast Internet service, don’t expect to utilize all your bandwidth with a VPN service.

I hope this post has helped dismantle some myths you may have heard online about VPN services.

So what is the best use for a VPN service?

As mentioned before: 1) hide your activity from your ISP or untrusted network 2) prevent the remote computer from knowing your real IP address and 3) circumvent Geo restrictions (not always reliable)

Anything other than those three reasons will result in a false sense of security for you.

Please Note: I did not write this post to scare you away from using a VPN provider, but I wanted to make sure people understand that a VPN service is not a “magic pill” that will cure all of your online web privacy problems. Using a VPN for the purpose of preventing your government from spying on you or being 100% anonymous on the web is pointless.


Posted in Computers, Internet and Servers, Security, VPN

Dynamic and Static IP Address Differences

To access the Internet, your Internet Service Provider (ISP) assigns you an IP address. This allows you to talk to other computers on the Internet. Most people probably do not even think about their IP address they have been assigned, much less what type of IP address they have.

There are two kinds of IP addresses, static and dynamic.

Static addresses never change on you. Even after many months (or even years), the IP address you have been assigned stays the same. Dynamic addresses, on the other hand, usually change every few weeks (or months). Most people probably are assigned a dynamic address for a month or two at a time.

Pros of Static Addresses

  • Allows you to easily host web services (e.g. email, DNS, websites)
  • Helps prevent websites from mistaking you for being an abusive user. This is because when using a dynamic IP address, someone else had previously used that address, and may have been committing abusive behavior online. However, when using a static address, you (and whoever else has access) are the only ones using your address.
  • Allows for a more stable VPN connection, because a dynamic IP may change any moment, and this will break the VPN connection.

Cons of Static Addresses

  • ISPs usually require you to purchase a “business” Internet package to be able to obtain a static IP. This may cost more money per month than a typical residential Internet package.
  • Everywhere you go online can be easily tracked, since you use the same IP address everywhere you go online (a VPN proxy can help with this problem).
  • If someone starts constantly abusing your IP address (e.g. DDoS attack), you probably will not be able to quickly request a new static IP address from the ISP.
  • If you have a unique host-name assigned to your static IP (usually necessary to host a email server), you will have less privacy than someone who has a typical residential, dynamic IP address without a custom host-name.

Pros of Dynamic Addresses

  • Usually can easily change your assigned IP address (helpful to stop someone who is abusing your computers; e.g. DDoS attack).
  • Since your IP address is “generic” (used by several other people), you are more anonymous than a static IP constantly browsing the web.

Cons of Dynamic Addresses

  • Hosting web services will not be very stable, since you are using a dynamic IP address that may change anytime on you (FYI, using a “dynamic IP” DNS service is more of a “jury-rig” than a proper solution).
  • Some web services may think you are a trouble-maker, since someone else may have had your IP address previously and used it to abuse web services.
  • ISPs may deny you the privilege of running any web services unless you have a “business”-grade Internet package (most people using a dynamic IP do not have a business account at their ISP).


Posted in Computers, Internet and Servers, Operating Systems, Security, VPN

‹ Older Posts