GitHub - 133794m3r/hashpass: Password Generator using uberhash for strong passwords

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 352 Commits
js		js
README		README
awesome_gen_pass.php		awesome_gen_pass.php
awesome_gen_tests.html		awesome_gen_tests.html
awesome_pass_gen-combined.min.js		awesome_pass_gen-combined.min.js
awesome_pass_gen-old.js		awesome_pass_gen-old.js
awesome_pass_gen.js		awesome_pass_gen.js
bcrypt-optimized.js		bcrypt-optimized.js
bcrypt-optimized.min.js		bcrypt-optimized.min.js
bcrypt.js		bcrypt.js
bcrypt.min.js		bcrypt.min.js
bcrypt_test.js		bcrypt_test.js
bcrypt_test1.js		bcrypt_test1.js
bcrypt_times		bcrypt_times
build.sh		build.sh
domain_extractor.js		domain_extractor.js
hashpass.html		hashpass.html
index-dev.html		index-dev.html
index.html		index.html
index.html.bak		index.html.bak
license		license
math.js		math.js
misc.js		misc.js
out2.js		out2.js
passgen_bookmarklet-min.js		passgen_bookmarklet-min.js
passgen_bookmarklet.js		passgen_bookmarklet.js
salt_test.js		salt_test.js
sbcrypt.js		sbcrypt.js
sbcrypt1.js		sbcrypt1.js
sbcrypt_test.js		sbcrypt_test.js
scratchpad.js		scratchpad.js
scrypt.js		scrypt.js
scrypt1.js		scrypt1.js
scrypt_fast.js		scrypt_fast.js
scrypt_fast.min.js		scrypt_fast.min.js
scrypt_fast1.js		scrypt_fast1.js
scrypt_test.html		scrypt_test.html
scrypt_test.js		scrypt_test.js
scrypt_test1.html		scrypt_test1.html
sha1-optimized-fast.js		sha1-optimized-fast.js
sha1.js		sha1.js
sha256_fast.js		sha256_fast.js
string.js		string.js
style.css		style.css
test-orig.html		test-orig.html
test.html		test.html
test.js		test.js
test1.html		test1.html
todo		todo
uhash_test.html		uhash_test.html
uhash_test1.html		uhash_test1.html
zxcvbn.js		zxcvbn.js

Repository files navigation

This is a password generator like supergenpass but that uses much stronger hashing(one-way encryption) and it version 2.0.0b and is considered generally safe to consume by the general public. As the systems included should give users who have their base password at least a score of 3 a very unlikely chance of someone manging to guess their password.

HashPass
Copyright (c) 2011-2018 133794m3r
AGPLv3 or Later

Various files that are licensed differently are listed below.
The scrypt js library minified in scrypt1.js is licensed under the MIT from the original source. I have included their link in the source file itself. It is no longer async but is now synchronous those looking for an async version should look at the source repo.
Scrypt Async JS
Copyright (c) 2013-2016 Dmitry Chestnykh | BSD License
https://github.com/dchest/scrypt-async-js

I also have included ZXCVBN for password strength estimation. It is licensed as MIT-like it looks like.

ZXCVBN
Copyright (c) 2012-2016 Dan Wheeler and Dropbox, Inc.
https://github.com/dropbox/zxcvbn

Timing Estimation Reasoning Explained

The time shown is based upon a rough estimate of ~390 times as fast as the algorithm in native code(SSE2 for scrypt) on one core of my laptop[1]. I figure that that is a high enough multiplier to be realistic as the memory required is over 40MiB in total and thus GPUs should be inihibited and at worst I figure it should be realistic. It is based upon that many guesses per second and converted using zxcvbn's time to display function itself as the options built in don't work for me as the offline slow hash is likely based upon a much lower scrypt value than I am using. I have added legacy mode for those migrating from the old version and will use this when/if in the future I switch to something else(maybe argon2) sometime in the future once it's proven itself to be secure.

[1]
My laptop is an i7-2760QM with turbo up to 3.5Ghz during tests it'd stay ~3.2-3.3Ghz on the core running the full scrypt. I did not do the simplification pass, nor did I check for repeat strings etc. Just the extremely cputime intensive generatingthe salt, and also hashing the password. The other parts excluding scoring generally take ~1-2ms and that is barely worth the effort to reimplement to see how it'd work as the majority is in those parts.