Online Password Generator Ratings (Bitwarden = 8/10)

I recently came across a project by security researcher Aaron Toponce to audit and rate web-based password generators. The Google Docs spreadsheet of results is available here (most recent update Nov. 21, 2021).

I’m sharing this useful resource here in part as a future reference for myself, and in part because I was curious about two reported deficiencies in Bitwarden’s online password generator, which lowered its score:

  1. The source code for the stand-alone online password generator is apparently not included in Bitwarden’s GitHub repositories, so Aaron has classified the code as proprietary rather than open-source.

  2. The stand-alone online password generator reportedly includes trackers.

Could either or both of these issues be remedied? Why is the stand-alone password generator not included in the repository? Why does the stand-alone password generator include trackers? Bitwarden has disclosed the use of trackers or tracker-like services for push notifications and crash reporting on mobile devices, as well as communication with payment processors. However, these explanations do not seem relevant to the online password generator.


I’ve changed the topic title to make it more click-baityahem– relevant. (Was: “Aaron Toponce’s Password Generator Audit”)

Thanks @grb following up with the team on this one :+1: