How Secure are JavaScript Password Generators?

Many people use online services to generate secure passwords.

There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g., web server), this is supposed to keep someone from getting a hold of your password.

Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?

Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.

the [Math.Random] JavaScript function  –  Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results.

A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).

Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise, since this JavaScript function was never intended for high-security situations.

web browser add-ons  –  Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Update 12/05/2019:  Here is another example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).

Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).

computer malware  –  This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).

While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.

Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.

Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.

surveillance software  –  Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.

The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.

Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.

So does this mean that I should never use any online password generators at all?

No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet (using TLS encryption), does not really provide a lot of extra security.

Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.


Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software

Browser Fingerprinting: What Is It and What Should You Do About It?

A web browser fingerprint is the identification of someone’s web browser in an attempt to track you regardless of what IP address you are coming from.

Basically your web browser is probed to determine what add-ons you have installed, what fonts are installed on your computer, what video card your computer has (via WebGL), PNG hash, what operating system you are using, your web browser’s 2D canvas, etc. All of this information is combined to form a fingerprint of your web browser.

Now you may be asking, “How does this allow someone to track my online visits?”  Good question.  People can make use of this fingerprinting to track you even if you take measures to deter people from monitoring your online activity (e.g., using a VPN).

If you have ever visited a website (without using a VPN) and later on you visit the same website (this time, using a VPN), they can still have a pretty good guess that it is you just by looking at your browser fingerprint you left the last time you visited (without the VPN).

This is how websites like YouTube still show you relevant recommendations, even if you use another IP address to access their web service.

Is there any way to stop browser fingerprinting? Not really. You can help confuse trackers into thinking you are someone else by spoofing the fingerprint, but this is not guaranteed to always work.

A browser fingerprint spoofer basically “lies” to a website giving it false information about the web browser. This of course causes the fingerprint to be different than it normally would be. The result? A website thinks you are someone else regardless of the IP address you are connecting from.

(This does not take into account tracking cookies. Websites can also track you with cookies, regardless if they use web browser fingerprinting techniques.)

So what do I recommend to do to help stop browser fingerprinting? Well you can do the following (my opinions, of course):

That should help protect your real fingerprint from being found out. I should note that spoofing your fingerprint may end up breaking certain websites. You will just have to try it out.

Please keep in mind, a browser fingerprint spoofer can end up making your fingerprint unique to everyone else’s fingerprint. This can cause you to stand out like a sore thumb, and cause you to be even more easily tracked. 🙁

This is because most people are not using a fingerprint spoofer and it would become obvious that you (and maybe a couple of other people) are the only ones faking your browser fingerprints. In other words, you do not “blend into the crowd”.

Another trick is to turn on Mozilla Firefox’s “resist fingerprint” feature. This feature, among other things, causes your web browser’s fingerprint to match that of the TOR web browser. This makes you blend into the crowd of TOR users, since they all should be using the same fingerprint.

To turn this feature on:

  • at the about:config webpage (on Firefox), find the option privacy.resistFingerprinting and set it to true, then restart the web browser

However this feature (in my experience) causes some websites to break (animations are slowed down, current time of day will not be correct, etc.) This all helps to prevent websites from fingerprinting the browser.

Please remember that there is no way to be 100% anonymous on the Internet. Always someone out there who can track you. All you are doing is making it harder to be tracked.

I hope I have helped someone with this blog post. It took me a bit to write it, but it is worth it if it helps. 🙂


Posted in Computers, Security, Software, VPN

Should You Setup Your Own VPN Server?

In this post, I am going to go through the different ways a VPN can be hosted.

I am just going to talk about VPNs in the context of people using them to secure their connection and/or hide their IP address (not about using a VPN for connecting two company networks together).

Should you setup your own VPN server? Only if you just require security not privacy. Otherwise I recommend going with a reputable VPN service.

Self-Hosted VPN

This is when you run your own VPN server from your home/office. The main advantage of going this route is that you control your network, and you completely control your computer that runs the VPN server.

The Good:  You get the advantage of extra security when connecting over a potentially hostile network (e.g., coffee shops, hotels, etc.).

The Bad:  You get no privacy what so ever, since your online activity is under the IP address you have been assigned by your ISP (Internet Service Provider).

VPN on a Virtual Private Server

Many online companies offer virtual server hosting solutions. Many of these companies allow their users to setup their own OpenVPN server. You technically are running your own VPN server, but the server itself is being hosted elsewhere.

The Good:  You get some privacy since the IP address of your server is owned by your web hosting company, not your ISP. In addition, you still get the extra security when connecting over a potentially hostile network.

The Bad:  Since you are the only one using the assigned IP address from the web hosting company, there is very little “wiggle room” in-case someone wanted to track you down for some reason (e.g., for posting “offensive” comments or something).

In addition, since you do not operate the network your server is on, you can never be sure if your web hosting company is spying on you (always assume that they are). They can even spy on your virtual server too.

VPN via a VPN Service

This is when you go to an actual VPN service and pay to make use of their vast array of servers that they have specifically setup for people to use for privacy.

I am not going to recommend any particular VPN service. You must make that decision for yourself.

The Good:  Going this route is usually quick and easy to get setup. Most VPN companies focus on your privacy (that is what they are supposed to be in business for anyway). This is the best way for someone to get started with using VPNs when they have never used one before.

In addition, since many other people are using the same VPN server you are on (hence, the same IP address), you “blend into the crowd”.

The Bad:  VPN servers can get overloaded, since VPN companies usually have thousands of customers using their services at any given time.  In addition, not all “no logging” VPNs are really doing what they say. I am not going to point any fingers, but just be careful when choosing a VPN service.

The following chart is my opinions for each type of VPN hosting.

Security Level – Determined by how much control you have over the VPN server and its network.

Privacy Level – Determined by how much the VPN hosting will protect your privacy.

Self-Hosted at Home/Office VPN on a Virtual Private Server VPN Service
Security Level High Low None
Privacy Level None Medium High

Things to Keep in Mind

  • VPNs cannot keep you completely anonymous. All you are doing by using a VPN is making the VPN your “new” ISP. They can potentially mess with your data that you are sending through their servers. In addition, someone could be tapping the Internet link that your VPN provider is using. This may compromise your privacy.
  • Doing something malicious. No VPN will completely protect you if your are doing something to attract the attention of a large, well-connected organization (e.g., a government agency).
  • Using a VPN because of “no logs” is not a good idea. I am sure there are some that really do not log, but even if they didn’t at some point, how do you know that they will not start logging without your knowledge?
  • A VPN will not protect you from viruses. A virus (e.g., from a file download) can still infect your computer even if your are using a VPN.
  • A VPN will not completely protect you from hackers either.

( Click here to read my “Popular Misconceptions About VPNs” article. )


Posted in Computers, Internet and Servers, Security, Software, VPN

When Should You Update Software?

Software updates are one of the things that can cause pain for server and network administrators.  They do not have the luxury to just click an “upgrade to next version” button like you would see on a WordPress website.  There is usually more involved when updating software.

When you have a new software (or operating system) you can upgrade to, there are a few things to check out first.

(Not an exhaustive list)

  1. Does it have any features that are beneficial to my daily work?
  2. Does it have any features that have been removed?
  3. Will the currently running software work with the new OS, or have people complained about the software not working correctly?
  4. Will your hardware work with the new software?
  5. How much downtime will an upgrade incur?
  6. If a lot of downtime will occur, is there a way to minimize the downtime?

Whenever you want to use a newer OS, you should always perform a fresh install on the computer. Never just do an in-place upgrade.  This is a very good way to mess things up on the computer.  Even if the in-place upgrade (not a fresh install) seems to work fine, there may be small issues that will pop-up later that you are not aware of.  Then you will wish you had done a fresh install in the first place. 🙂

Also, whenever you want to update a piece of software, always make sure you are using a “stable” release of the software.  Never run Beta, RC, Alpha, or any “not finished” software in production.  This can cause you grief that you could have avoided.


Posted in Computers, Internet and Servers, Operating Systems, Programming, Software

‹ Older Posts Newer Posts ›