PassGen is a security-critical application that generates passwords. We take security seriously and appreciate your help in identifying and responsibly disclosing security vulnerabilities.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability, please:
- DO NOT open a public issue
- Email security details to the maintainers (see repository for contact)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a detailed response within 7 days.
- Key Derivation: Argon2id with 64MB memory, 3 iterations
- PRNG: ChaCha20 for cryptographically secure randomness
- Seed Generation: Combines master passphrase with random salt
- Memory Protection: Sensitive data zeroized after use
- Master passphrase never accepted via command line
- Password length limited to 12-256 characters
- Site names limited to 256 characters
- Count limited to 100 passwords per run
-
Master Passphrase:
- Use at least 12 characters
- Include multiple word phrases
- Never share or store in plain text
- Different from your other passwords
-
Site Names:
- Use consistent naming (e.g., "github.com" not "GitHub")
- Include version numbers for changed passwords
- Document your naming scheme securely
-
Password Storage:
- Never store generated passwords in plain text
- Use a password manager for storage
- Enable 2FA where possible
- Deterministic Generation: Same inputs produce same outputs
- No Forward Secrecy: Compromised master exposes all passwords
- Single Factor: Only master passphrase protects generation
- No Breach Detection: Doesn't check against known breaches
- Share your master passphrase
- Use PassGen on untrusted systems
- Store passwords in browser autocomplete
- Use weak master passphrases
- Verify you're using official releases
- Check file integrity/signatures
- Use on secure, malware-free systems
- Keep PassGen updated
- Memory: 64 MB
- Iterations: 3
- Parallelism: 4
- Output: 32 bytes
- CSPRNG: ChaCha20
- Seed: 256-bit from Argon2id
- Distribution: Uniform via range generation
PassGen aims to follow:
- OWASP password guidelines
- NIST SP 800-63B recommendations
- Cryptographic best practices
- No formal security audit completed yet
- Community review welcome
- Penetration testing invited
For additional security questions, please contact the maintainers.