How Secure are JavaScript Password Generators?

Many people use online services to generate secure passwords.

There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g. web server), this is supposed to keep someone from getting a hold of your password.

Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?

Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.


the [Math.Random] JavaScript function  –  Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results. It is even possible to predict the output of Math.Random.

This means that someone could potentially generate the same password that you just generated a week before. Not the best for people who want to have secure passwords.

A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).

Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise.


web browser add-ons  –  Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Update 12/05/2019:  Here is another example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).

Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).


computer malware  –  This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).

While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.

Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.

Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.


surveillance software  –  Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.

The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.

Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.


So does this mean that I should never use any online password generators at all?

No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet, does not really provide a lot of extra security.

Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.


Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software

When Should You Update Software?

Software updates are one of the things that can cause pain for server and network administrators.  They do not have the luxury to just click an “upgrade to next version” button like you would see on a WordPress website.  There is usually more involved when updating software.

When you have a new software (or operating system) you can upgrade to, there are a few things to check out first.

(Not an exhaustive list)

  1. Does it have any features that are beneficial to my daily work?
  2. Does it have any features that have been removed?
  3. Will the currently running software work with the new OS, or have people complained about the software not working correctly?
  4. Will your hardware work with the new software?
  5. How much downtime will an upgrade incur?
  6. If a lot of downtime will occur, is there a way to minimize the downtime?

Whenever you want to use a newer OS, you should always perform a fresh install on the computer. Never just do an in-place upgrade.  This is a very good way to mess things up on the computer.  Even if the in-place upgrade (not a fresh install) seems to work fine, there may be small issues that will pop-up later that you are not aware of.  Then you will wish you had done a fresh install in the first place. 🙂

Also, whenever you want to update a piece of software, always make sure you are using a “stable” release of the software.  Never run Beta, RC, Alpha, or any “not finished” software in production.  This can cause you grief that you could have avoided.


Posted in Computers, Internet and Servers, Operating Systems, Programming, Software

Pros and Cons of the C# Programming Language

I’ve programmed in C#.Net for a while now, and I have grown to like it (even over VB.Net). While I do not believe in dismissing other programming languages (e.g. VB.Net) just because people “don’t like them”, I do prefer C#.Net over VB.Net for my new projects I work on.

Please note that these “pros” and “cons” of C# are my own opinions and do *not* necessarily reflect the average C# programmer out there.

Pros to using C#

  1. Learning C# will help you later on if you decide to learn harder programming languages (e.g. C or C++). The programming style of C# is very similar to other C languages.
  2. Since people usually see C# > VB.Net, you should have an easier time finding a C# job, instead of a VB.Net one.
  3. Most online examples for .Net languages are in C#.
  4. If you are looking to work with other programmers (commercial or open source), then knowing C# will be a benefit to you.  This is because many programmers out there pretty much have coded (and still do code) in some kind of C language.
  5. The C# language is less verbose (not as wordy) in comparison to the BASIC language. This is more the programmer’s preference than anything else.

VB.Net Verbose Code Example:   Dim  calculations  As  Decimal

C#.Net Non-Verbose Code Example: decimal  calculations;

Obviously the C# code example has much less to type. You may not think this is a big deal, but if you have 1,000 (+) lines of code to write, you will then understand why a less verbose language is faster to write in.

Cons to using C#

  1. C# would not be the best programming language for newcomers to start programming with (C# is a more complicated syntax).  I would rather start them out on VB.Net, and later on introduce them to C#.Net.
  2. In C#, you have to use semi-colons [ ; ] at the end of each line of code you write. You get used to it after a while, but it is an extra step that you do not have in VB.Net (and many other languages).
  3. The C# language is case-sensitive.  You can have the variables dateofbirth, dateOfBirth, and DateOfBirth all at the same time. This can overtime cause confusion, if you are not careful.
  4. C# is not the same as VB.Net in capabilities (they are practically the same, but not necessarily 1:1 on every detail).  In other words, if you try to convert a C#.Net project to a VB.Net project (or vice versa) you may encounter difficulties. Please make sure to choose the programming language you really want to use to start with.
  5. In C#, the switch clause requires a “break;” command every time you check for a value. The case clause in VB.Net does not require this (less to type in VB.Net). Please note that the switch clause in C# is not exactly the same thing as the case clause in VB.Net.  There are differences.
  6. C# uses curly-brackets { }  that define the beginning and the end of things like functions, for each statements, if statements, etc. Curly-brackets can become messy unless you are careful to not confuse them with other curly-brackets that are for something else in your code. There is software out there than can highlight curly-brackets for you while you are coding, so you have less of a chance of becoming confused.

So in the end, which programming language do I recommend for you to use? Well if you are new to programming on the computer, I would first start out on VB.Net. Later on, you can move to C#.Net.

If you already have gotten your feet wet with programming, I would go ahead and start learning C#.Net. In the end, you have to make up your own mind. 🙂

Remember the more programming languages you learn, the more valuable you will be to other people who need your programming skills. Also please remember that VB.Net is not evil (regardless of what people may say). It is ok to go ahead and write software in VB.Net if you want to (or need to).


Posted in Computers, Programming