Careful! This is only using `Math.random` and does not attempt to use `window.crypto.random` (though most browsers do not support it yet: http://jsfiddle.net/alanhogan/trUYu/) or anything that would attempt to bring real entropy into the process.
I don’t mean to fault the creator of this page, but at the same time, I would not trust this generator for important passwords, simply because you cannot know if others are getting the same 'random' results as you are.
> In the Javascript engines of IE (Trident), Firefox (Gecko), Safari (WebKit) and
Chrome (V8), the output of Math.random() can be used to reconstruct the
random seed, and thus provide both this seed and the current “JS mileage” (i.e.
the number of times Math.random() was invoked).
I wouldn't use a JS program served from somebody else's website to generate my password anyway. How do I know it's not sending them a copy of the passwords it generates?
He recently changed it to use a random seed sent from the server instead of the client-side RNG. Over, I believe, unencrypted HTTP. Your suggested countermeasure would not have detected that attack; indeed, perhaps it was already in place before you reported no evidence of attacks.
It would, however, have made it harder for him (or your ISP) to tell whose password they'd stolen.
I don’t mean to fault the creator of this page, but at the same time, I would not trust this generator for important passwords, simply because you cannot know if others are getting the same 'random' results as you are.
More info on SO: http://stackoverflow.com/questions/5651789/is-math-random-cr...
PDF on the topic: http://www.trusteer.com/sites/default/files/Temporary_User_T...
> In the Javascript engines of IE (Trident), Firefox (Gecko), Safari (WebKit) and Chrome (V8), the output of Math.random() can be used to reconstruct the random seed, and thus provide both this seed and the current “JS mileage” (i.e. the number of times Math.random() was invoked).