I recently came across a project by security researcher Aaron Toponce to audit and rate web-based password generators. The Google Docs spreadsheet of results is available here (most recent update Nov. 21, 2021).
I’m sharing this useful resource here in part as a future reference for myself, and in part because I was curious about two reported deficiencies in Bitwarden’s online password generator, which lowered its score:
-
The source code for the stand-alone online password generator is apparently not included in Bitwarden’s GitHub repositories, so Aaron has classified the code as proprietary rather than open-source.
-
The stand-alone online password generator reportedly includes trackers.
Could either or both of these issues be remedied? Why is the stand-alone password generator not included in the repository? Why does the stand-alone password generator include trackers? Bitwarden has disclosed the use of trackers or tracker-like services for push notifications and crash reporting on mobile devices, as well as communication with payment processors. However, these explanations do not seem relevant to the online password generator.