Online Password Generator Ratings (Bitwarden = 8/10)

I recently came across a project by security researcher Aaron Toponce to audit and rate web-based password generators. The Google Docs spreadsheet of results is available here (most recent update Nov. 21, 2021).

I’m sharing this useful resource here in part as a future reference for myself, and in part because I was curious about two reported deficiencies in Bitwarden’s online password generator, which lowered its score:

  1. The source code for the stand-alone online password generator is apparently not included in Bitwarden’s GitHub repositories, so Aaron has classified the code as proprietary rather than open-source.

  2. The stand-alone online password generator reportedly includes trackers.

Could either or both of these issues be remedied? Why is the stand-alone password generator not included in the repository? Why does the stand-alone password generator include trackers? Bitwarden has disclosed the use of trackers or tracker-like services for push notifications and crash reporting on mobile devices, as well as communication with payment processors. However, these explanations do not seem relevant to the online password generator.

2 Likes

I’ve changed the topic title to make it more click-baityahem– relevant. (Was: “Aaron Toponce’s Password Generator Audit”)

Thanks @grb following up with the team on this one :+1: