search

brendanashworth / generate-password

NodeJS library for generating cryptographically-secure passwords.
MIT License
354 stars 67 forks source link

Passwords are sometimes the wrong length #76

Closed alexandervandekleutab closed 2 years ago

alexandervandekleutab commented 2 years ago

The following will sometimes generate passwords of length 7 containing no special characters:

passwordGenerator.generate({
      length: 8,
      strict: true,
      numbers: true,
      lowercase: true,
      uppercase: true,
      symbols: true,
      // These exclusions are either reserved(before space)
      // or unsafe(including and after space) characters for URLs
      exclude: '&$+,/:;=?@# <>[]{}|^%',
    })

We are passing this password to a callback that generates emails by directly injecting the password into a URL. Therefore we cannot pass symbols usually reserved for URLs. This code generated the password ADd9xFM which is 7 characters long.

brendanashworth commented 2 years ago

@alexandervandekleutab not convinced this is an issue on our end. I can't seem to reproduce even with a lot of passwords:

> gen.generateMultiple(1000000, options).filter(s => s.length != 8)
[]

After stripping out the characters you exclude, encodeURI still gives different characters. Do you want to exclude those too?

> let symbols = '!@#$%^&*()+_-=}{[]|:;"/?.><,`~'
undefined
> let passthru = symbols.split('').filter(c => '&$+,/:;=?@# <>[]{}|^%'.indexOf(c) === -1)
undefined
> passthru
[
  '!', '*', '(', ')',
  '_', '-', '"', '.',
  '`', '~'
]
> passthru.map(c => encodeURI(c))
[
  '!',   '*', '(',
  ')',   '_', '-',
  '%22', '.', '%60',
  '~'
]
brendanashworth commented 2 years ago

Going to close this because it hasn't been reproduced.