0.9.5 • Published 9 years ago

rndphrase v0.9.5

Weekly downloads
2
License
MIT
Repository
github
Last release
9 years ago

RndPhrase.js

Build Status

RndPhrase.js is a javascript module to autogenerate secure passwords. It is a library, and is not meant to be used stand alone although it can easily be used with node.js. The purpose of RndPhrase is to keep your password secure by creating a hash of the password which is sent to the server instead of a plaintext one.

This fixes some common issues that are with passwords.

  1. Shoulder surfing might reveal the password you type, but not the actual password sent to the server.
  2. If the dabatase is compromised. Your actual password is not compromised even though it might be stored in cleartext.
  3. Passwords are never used cross domain as the domain is part of the hashing algorithm. Thus, even though you use the same password more than one place, the compromise of one site doesn not lead to a general compromisation of your password.

This might be more obvious with an example.

  1. First you decide a seed, this is a secret that only you know. For the purpose of this example lets use the seed "nobodyknowsmyseed"
  2. Choose a password that you wish to use. We'll just use "secret".

  3. Now here comes the magic... Let's try to make a password for github.com

    	    var r = new RndPhrase({
	        seed: 'nobodyknowsmyseed',
	        uri: 'github.com',
	        password: 'secret',
	    });

	  	console.log(r.generate()); //output 1,d$[xtd%S&1b8%9

    So far so good, this looks like password that is hard to guess. Even if this is stored hashed in a database, it doesn't look like a password anybody in their right mind entered. Now let's create one for facebook.com

    		var r2 = new RndPhrase({
	        seed: 'nobodyknowsmyseed',
	        uri: 'facebook.com',
	        password: 'secret',
	    });

		console.log(r.generate()); //output 8a'4}+J Ds1%l ua

  4. Wow! We used the same credentials, but the output was two completely different things - and all we changed was the domain!

How it works

RndPhrase uses three pieces of information, a seed, a password and a uri. The seed is supposed to be stored in the browser as something that is typed in once. Remember this one if you switch systems. ;) The password is that thing that you type in on your keyboard which, of course, should not be reused even though RndPhrase fixes this for you. The uri is a unique string used to determine the place that you are trying to log in to. This should automatically be generated by a browser plugin (if you use it on webpages). The uri is a string such that you can define a user id together with the name, if you have multiple users on the same webpage. E.g. github.com/privateuser and github.com/workuser.

Usage

Import RndPhrase.js as a module in your source. 

RndPhrase = require('rndphrase.js');

Instantiate the object with the minimum configuration requirements

var r = RndPhrase({
		seed: 'nobodyknowsmyseed',
		uri: 'example.net'
	});

Invoke the generate method

r.generate('secret'); // 2JaL3{9e*o>T5x9I

Subsequent calls to the generate method yields new passwords

r.generate(); // Q^RkA%kx){AI9`0!
r.generate(); // Rucn;5;^maAv08X|

Configuration

It is possible to configure RndPhrase.js to enforce restrictions on the generated passwords to adapt use for websites that have misunderstood password security. Everything is passed in a JSON object with following options

seed

The seed used. Expected to be a string, but can be everything that can be hashed by the hashing algorithm. Should be entered manually once and saved by the plugin using the library. Remember not to save in plaintext. ;)

Mandatory, does not have a default.

uri

A string specifying the location, should be generated automatically by the plugin using the library.

Mandatory, does not have a default.

password

The password entered by the user. Should be entered manually, do not save this anywhere.

Mandatory, does not have a default.

size

An integer specifying the smallest possible size of the hashed password.

Defaults to 16.

version

Integer. Used for stupid websites that demand you change passwords frequently.

Defaults to 1.

capital

Configuration for capital letters. Set to false to disable.

Default:

{
	min: 1,
	max: -1, //infinite
	alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
}

minuscule

Configuration for minuscule letters. Set to false to disable.

Default:

{
	min: 1,
	max: -1, //infinite
	alphabet: 'abcdefghijklmnopqrstuvwxyz'
}

numeric

Configuration for numbers. Set to false to disable.

Default:

{
	min: 1,
	max: -1, //infinite
	alphabet: '0123456789'
}

special

Configuration for special symbols. Set to false to disable.

Default:

{
	min: 1,
	max: -1, //infinite
	alphabet: " !\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
}

Donate

Help making this software better

Flattr this git repo

BTC: 1NPnXF6bUBx9GJCnHkWNN5hpNQQAbWnpPP

cryptopassworddomainhash
cubehash.js
@infinitebrahmanuniverse/nolb-rnd@everything-registry/sub-chunk-2676
0.9.5

9 years ago