Light

grempe / diceware Goto Github PK

View Code? Open in Web Editor NEW

This project forked from yesiamben/diceware

225.0 225.0 62.0 10.71 MB

A tool for generating strong Diceware passwords, with entropy and crack time estimates.

Home Page: https://www.rempe.us/diceware/

License: MIT License

CSS 0.01% HTML 1.02% JavaScript 98.94% Ruby 0.02%

cryptography dice diceware encryption passphrase password random security

diceware's Introduction

Hi there, I'm Glenn - aka @grempe 👋

I'm a Husband, Father, Developer, and the Founder & CEO of Truestamp (on GitHub @truestamp)!!

🌱 I’m currently growing Truestamp 🤣
👯 I’m focused on the intersection of Privacy, Security, Cryptography, and Integrity
🥅 Goals: Help my customers verify the integrity of their most important data
⚡ Fun fact: My vehicle license plate has a cryptography reference. I think it confuses most who see it

Connect with me

Twitter @grempe or @truestamp
Mastodon @[email protected]
GitHub @grempe or @truestamp

GitHub Stats

diceware's People

Contributors

Stargazers

Watchers

diceware's Issues

Playing Cards Passwords method

http://www.webplaces.org/passwords/playing-cards-passphrase-method.htm

Short version (10K): http://www.webplaces.org/passwords/lists/10k-word-list-short.txt
long version (10K): http://www.webplaces.org/passwords/lists/10k-word-list-long.txt
other version (10K): http://www.webplaces.org/passwords/lists/word-list-10k.txt
Alternate: http://www.webplaces.org/passwords/lists/word-list-65555.txt

Megalists

Mobile site has no way to submit entered numbers

I just discovered I made a major boo-boo when adding the tel support to the input field; there's no return/enter key on the numeric keypad under Android. All there is is a "next" button to go to the next field in the form (which happens to just be a link on the website). So without adding a submit button (maybe the # symbol next to the input field?), the tel type should be removed.

Invalid URL in README.md

The URL in line 22 in README.md points to a domain which has changed ownership. According to the Wayback Machine sritest.io was parked sometime from March 2018 to June 2020 and sold afterwards, causing a 301 redirection to an adult website.

What's going on with the hash benchmark data?

I'm assuming "350 billion hashes/second" is referring to the 350.8 GH/s MD4 value on https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 Am I right?

If that's the case, then I'm confused. This device claims higher bcrypt speeds than the one you reference; but slower MD4 numbers. Is that a glitch or just an artefact of the different hardware and how different hashes perform on said hardware?

EFF short
EFF short variant

Allow for bookkeeping a specific wordlist

When you choose a wordlist other than "English" there's no way to always go back to the website from a bookmark and have that wordlist selected. Probably changing it so that when a different wordlist was selected the URL was rewritten to have e.g. #english-alt and have some JS to parse the URL and select the wordlist appropriately would be required.

[Proposal] Diceware multilingual mixing

Have an option that allows mixing Japanese words and English words etc.

word lists missing attribution / license issue

Most (if not all) of the word lists used in this project are the same ones listed under Diceware Home Page - Diceware in Other Languages. Many of which are licensed under a Creative Commons Attribution license. Some are under GNU GPL or GNU FDL license.
But I cannot find any attribution on this site.
Hope this can be fixed soon.

New Dutch Wordlist

https://el-tramo.be/blog/diceware-nl/

Composite, Easy to remember
Composite, Machine-friendly
Non-composite, Easy to remember
Non-composite, Machine-friendly

Explain why EFF is default and link to EFF article

While classic Diceware is explained quite well on the site, EFF is not, even though EFF is the default rather than Diceware itself. There should be a short paragraph explaining the significance of the EFF wordlist, why it is the default, and supplying a link to https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases.

Mnemonic Method (1626 triplets)

Site claims dice rolls are biased

Using mod to fit random values isn't safe - unless the values wrap perfectly you end up with bias towards the start of the range.

Here's 100 million dice rolls using BYTE % 6:

[16792052, 16806014, 16789917, 16801670, 16413165, 16397182] stddev=202702

Having examined the code, this isn't what's happening. So this bit is both alarming and misleading:

The Bytes output from the RNG are converted to die rolls with (BYTE % 6) + 1

Use subresource integrity

Subresource integrity (SRI) lets you specify a hash for any content in a <link> or <script> tag to validate that what the browser gets is what you were expecting, e.g.:

<script src="https://example.com/example-framework.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

It's primarily useful for checking the integrity of files as served by a CDN (which I believe rempe.us/diceware is based on PR comments mentioning gh-pages). That way your trust focuses primarily on what index.html is served to your browser as at least any directly loaded JS will be validated as the same as you expected to be served based on the hashes.

It's supported by Chrome, Firefox, Opera, and Chrome Mobile so it isn't a waste of effort. And it supports hashes up to sha512 (which is what I would suggest using as sha384 truncates data which is only useful if you are trying to protect input values which isn't the case here).

The downside of SRI for a website that's entirely statically defined is that it means any time you update any JS code that is tagged with a hash you must also make sure to update the hash. That probably means adding a step in the development process for anyone who edits any JS as they will need to update the appropriate hash(es). Having said all of this, I am willing to pull together a Python script that you can point at an HTML file and have it print out when the hashes are outdated and what the new hash values should be (I would make a new GH project for this and license it under Apache 2 if you wanted to embed a copy in this repo). There are also SRI-generating tools for things like Gulp if that's how you would want to do your workflow.

Dial Dice

https://zzzen.com/dialdice.html or http://archive.fo/UptUu

better wordlists (remove non-words)

This tool is fun but honestly the entropy is kinda going down when you have to skirt around random junk all day like "zp" or a whole lot of number stuff on the lists or "aa", "aaa" and "aaaa" as well.

on the german wordlist for example I could throw out the first 244 entries and probably some more later and at the end because they make this thing borderline unusable and just plain bad.

if numbers or symbols are needed one could just throw them on extra instead of just making the lists worse than they should be.

sure you didnt create the lists but maybe you or someone reading here can help improving them

Adding complexity to passwords

EFF DragonCon wordlist 3D20

https://www.eff.org/deeplinks/2018/08/dragon-con-diceware

Star Wars https://www.eff.org/files/2018/08/29/starwars_8k_2018.txt
Star Trek https://www.eff.org/files/2018/08/29/memory-alpha_8k_2018.txt
Game Of Thrones https://www.eff.org/files/2018/08/29/gameofthrones_8k-2018.txt
Harry Potter https://www.eff.org/files/2018/08/29/harrypotter_8k-2018.txt

Add other EFF wordlists

Would it make sense to add the two short lists too?

Feature Request: Add Copy To Clipboard Button

I think it would be a neat feature to have a copy to clipboard button.

I think implementing it with clipboard.js would be a good idea.

Here's an example of it on codepen

What do you guys think?

"local" loading of the app fails because of the CORS policy attributes in <script> and <link> tags

When running the diceware js application locally via the browser (file://....), the loading of the CSS and JS files fails with the following CORS policy errors (recorded on Chrome latest version, but FF also fails)

Removing both the integrity="sha384-...." and crossorigin="anonymous" tags on all JS and CSS fixes the issue.

Review SecurityHeaaders.io suggestions

Another suggestion for improvement, there are more security headers that can be enabled to block external attacks, see site linked below (site by @scott_helme).

https://securityheaders.io/?q=https%3A%2F%2Fwww.rempe.us%2Fdiceware%2F%23diceware&hide=on

Enabled (good):
Strict-Transport-Security
X-Content-Type-Options

Review suggestions:
Content-Security-Policy
X-Frame-Options
X-XSS-Protection

Handle with caution:
Public-Key-Pins

More diceware lists from https://ae7.st/g/

https://pthree.org/2017/09/04/a-practical-and-secure-password-and-passphrase-generator/

Bitcoin lists BIP039
Elvish and Klingon
Simpsons
Trump

MadLib Diceware

https://github.com/InputBlackBoxOutput/Madlibs-Diceware/tree/main/wordlists

Alternate Lists

Feature request - "capitalize a letter" button

For my analog Diceware I typically incorporate some random capitalization. I do this via dice rolls as described on the original Diceware FAQ. I think this would be a useful feature for this generator. I envision an added button which, when clicked, would randomly capitalize a letter in the current passphrase. Clicking it again would capitalize a second letter, three times a third letter, etc.

Another option might be a button to all-caps a random word, if a single-letter option is too much effort.

Inclusion of other lists from Github repos

Google lists https://github.com/jacksingleton/diceware
Lord Of The Rings https://github.com/nightsense/eyeware
Brazilian Portugeese https://github.com/thoughtworks/dadoware
More lists https://github.com/ospalh/latex-diceware
Poetic wordlist https://github.com/ChristopherA/iambic-mnemonic/tree/master/word-lists
"Modified" http://www.webplaces.org/passwords/lists/Diceware-Improved-7776.txt
"Modified 2" http://www.webplaces.org/passwords/lists/Diceware-Combined-7776.txt

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.