Description

The password generator uses Math.random() for generating passwords, which is not cryptographically secure. Math.random() is a PRNG (Pseudo-Random Number Generator) that can be predicted if its internal state is known, making generated passwords vulnerable to brute-force attacks.

Context

• File: src/pages/tools/string/password-generator/service.ts:29
• Component: Password Generator tool

Current Behavior

for (let i = 0; i < length; i++) {
    const idx = Math.floor(Math.random() * charset.length);
    pwd += charset[idx];
}

Math.random() outputs are predictable and not suitable for any security-sensitive context, including password generation.

Expected Behavior

Passwords should be generated using crypto.getRandomValues(), which provides cryptographically secure random values available in all modern browsers.

Suggested Fix

- let pwd = "";
- for (let i = 0; i < length; i++) {
-   const idx = Math.floor(Math.random() * charset.length);
-   pwd += charset[idx];
- }
+ const array = new Uint32Array(length);
+ crypto.getRandomValues(array);
+ let pwd = "";
+ for (let i = 0; i < length; i++) {
+   pwd += charset[array[i] % charset.length];
+ }

Impact

• Severity: Medium/High — Every password generated by this tool is less secure than users expect. Anyone relying on this tool for real passwords is unknowingly using weak randomness.
• crypto.getRandomValues() is available in all modern browsers and Node.js, so this is a straightforward fix with no compatibility concerns.

References

• MDN: Math.random() — Do not use for security purposes
• MDN: crypto.getRandomValues()

Positively — happy to submit a PR if this is welcome.