secure-password-generator
secure-password-generator copied to clipboard
mar-kolya
Generate human-readable passwords (option)
I know the purpose of this extension is to never think of passwords again, simply generate one and save it to the password manager. BUT:
Sometimes you happen to be on devices that don't have the (Firefox) password manager integrated. So, you look up the password, and then ... then you have a hard time typing in the thing you read from the screen (even worse: on your mobile device).
Hence, it would be nice to have (the option to have) human-readable passwords generated, e.g. simply long sentences. The typical example and explanation for this use case is XKCD's comic, "correct horse battery staple".
But that would either imply a dictionary or some neural networks magic (much more difficult I presume). I don't know much about theoretical cryptography, but wouldn't the use of a dictionary provide some sort of a side channel and render the password generation less random ?
wouldn't the use of a dictionary provide some sort of a side channel and render the password generation less random
That's true. At the same time I assume the passwords we generate can be much longer (because people can keep words in short-term memory instead of single characters when typing a looked-up password off the screen). And longer is harder to brute-force crack.
Implementation
I would, if that's possible (probably not), try to use local word lists, i.e. word list files resident on your computer (because that won't always be English). Then again, if Firefox permits it those files are available on Unix-style computers (GNU/Linux, macOS) but probably not on Windows machines. :unamused:
In some way or the other this would have to be managed in a "smart", user-friendly way with dictionary word lists (are there any available online? some that even continuously change?), ideally in all languages the current user is capable of understanding (autodetected, of course) -- this adds randomness on a global scale.
Security Concerns
Let me reiterate, dictionary word lists, while typically a sign of warning in the area of secure authentication, is most probably not a problem here. As long as we think of "words" as "input items" that are combined into a lengthy string.
Following the idea of XKCD's comic we may assume that a password made of 8 (dictionary) words - even if they are only English - is safer than a password with just 8 (random) characters. -- Think: only a single dictionary word is a security issue.
For the local dictionary, if I recall correctly µBlock Origin downloads block lists locally before parsing them and keeps a local copy, so maybe we could look into how it's done there, but it's definitely possible to keep files locally.
As for publicly available dictionaries, I think it should be fairly easy to find some. Or maybe even host some on a github repository (as is the case with some lists that µBlock uses), maybe even in different languages.
As for the security concerns, as I said earlier, I do not consider myself knowledgeable enough to give an opinion on the matter. It is a good idea, especially for using the passwords on a mobile platform (I agree that it is painful ...). I think that as long as we keep it as an option, it should be OK.
Oh and maybe add some 4 to 8 digit numbers in the mix when generating the passwords. There should probably be some research on the matter, or at least previous attempts at generating similar password, maybe we could look into those before jumping straight into implementation.
Some background reading I just found: