How Secure are JavaScript Password Generators?

Many people use online services to generate secure passwords.

There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g., web server), this is supposed to keep someone from getting a hold of your password.

Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?

Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.


the [Math.Random] JavaScript function  –  Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results.

A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).

Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise, since this JavaScript function was never intended for high-security situations.


web browser add-ons  –  Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Update 12/05/2019:  Here is another example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).

Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).


computer malware  –  This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).

While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.

Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.

Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.


surveillance software  –  Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.

The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.

Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.


So does this mean that I should never use any online password generators at all?

No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet (using TLS encryption), does not really provide a lot of extra security.

Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.


Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software