Password.Kiwi | Secure Password Generator ๐ฅ๐
I wanted to make a free, 100% open source password generator, that (hopefully) looks nicer than the top-ranking password generators on Google.
Things I am proud of:
- It has a perfect 100/100 Lighthouse score
- It is a PWA (Progressive Web App) which means it can even work off
Trending on Indie Hackers
I think it's really good. Here are my thoughts.
It's not clear how to create a new password. When you click it, it copies and creates a new password. There should be two buttons, one to copy and one to generate a new password.
Add options so someone can adjust length of password, whether it includes just numbers and letters or symbols.
Thanks! I wanted to make it simple by having just one button to both generate and copy the password, but you are right that maybe it's not clear enough right now that it will copy AND generate a new one.
And yep, I will look to add a length / characters adjustment option seeing as it's being requested a lot!
It looks pretty cool! I'd put more info at the top to make it less scary for some. At least on mobile all I see is the password. Really like the logo too. Maybe play with the color of the kiwi/lock transition.
Cheers @DavidGetchel ! Curious what you mean by the kiwi/lock transition ? Also, what kind of info would you want at the top? Thanks again ๐
Besides the secure password generator, the info in the 100% secure section might look good above the fold. Or part of it maybe.
As for the logo, the dark brown ends before the white lock part at the top. Don't know if a grey would work better. Just my thoughts.
Hey, I like the idea. I have a few questions/suggestions though:
I only get 10 character passwords. I can't find it right now but I think NIST (US IT security standard office) or BSI (German Internet security office) recommend at least 12 characters. Most of my passwords have around 30 characters.
I don't think 10 chars is secure with today's technology.
I get why you don't save the passwords. Do you have any suggestions on how to remember your generated passwords?
Why not use a locally running password vault if you're"scared" services like 1Password or LastPass get compromised?
Just wanna find out the benefits of your product over other tools that generate passwords.
By the way, updated to add new options including password length! Hope you like it ๐ช
Yeah I really like it. It's simple, effective and looks great! ๐
You're right! I will add an option to adjust the password length. I initially chose characters 10 just because it looks nicer, but I guess sometimes UX isn't everything! Although it would take a few years to crack most 10 character passwords..
Maybe a good option would be for me to build a vault feature so that all passwords are stored securely and locally, offline, with 100% open source code..
How fast a password is cracked also depends on the hashing algorithm used. A default Windows password is hashed with NTLM and a 8 char password is cracked in under 2.5 hours if the hash is known.
Regarding the vault, I don't know how secure it is to store unhashed passwords in some web storage. Of course you could encrypt them instead of hashing, but the keys would need to be stored on the same machine.
It sure is a challenging project but will be great if it's done right. Just make sure to get all security related features (e.g. storage) thoroughly tested by security experts.
Good points! I will look into seeing how to do that. I definitely think there would be value to having a free, offline, open source alternative to 1password or lastpass.
hi, my SaaS is a secrets manager / password manager mainly devops focused. Its not open source though but I do offer free accounts. The user's master passw is never stored in pkhub, and all encryption keys are encrypted from a streched+salted version of the master key.
for secure offline storage Ive used AES CBC 256 HMAC 512. CBC at the moment has a better track record for long term disk storage than GCM imho. Hmac is a necessity, people dont normally know it but just encryting isn't enough, you need authenticated encryption which gcm and the hmac part gives you.
if you're going to write your own passwd manager ping me if you need any review or advice. Writing your own is tough but also a great experience into the world of encryption.
open source is easier to get security reviews on, Ive had already two white hat hackers look through pkhub in exchange for bounty payments. nothing other than missing http config params have been found so Im quite happy with my encryption code.
Hey @brunezy,
Nice work with the password generator.
I'm a web and graphic designer and I'll try to give some useful feedback.
The design feels "un-secure", I don't know the reason why, but it just does to me. Why not try adding a white background and using green as your primary color, you want your visitors to trust you with the passwords generated by the website and green means trust, nature, clear and good.
I like the "None of your data ever touches our server. No cookies. No tracking pixels. No sweat.", that's a great assurance, but I'd also like to know how are these passwords generated. By educating your customers with this information, they'll feel much better and trust your passwords more.
Those are my 2 cents..
Hope that helps.
Updated to a new color scheme! Hopefully this one's a bit nicer :)
This one is much better @brunezy
Thanks!!
Thanks for the input @praveentelu I know what you mean about the dark theme not feeling secure. That's kinda what I was going for by saying it feels "scary" :)
I'll try a light theme and see if that is better!
Cool stuff, I'm not sure about the practicalities, as I certain most tech-savvy folks will be using their password managers. I use 1Password myself, you can look up the options that they provide as to password length or characters to avoid.
Cheers for the input @jaryl ! The point here (although probably I need to explain it better on the landing page) is to generate a password completely independently of 3rd party companies who are making profit and also susceptible to hacks.
Sure, 1password and Google Chrome have a password generator, but they are then charging you to save the passwords. Furthermore, it could be argued that the passwords saved on these services are then susceptible to being hacked.
This solution enables the user to generate a completely random password while being offline, and at the same time the whole code is available to inspect whereas the same cannot be said of 1password
I personally use bitwarden which is free and open source, but regardless, what you have built looks quite nice. Only confusing part is when you click the password it saves and generates a new one, but it's a bit confusing as to whether it's the old one that was saved or the new one