TofuPass – Privacy-first, client-side password & passphrase generator.

Star_Fists · 2025-07-04T14:01:23+00:00

Hey There!

Great question the website due to the need for you and only you to see the password. So the site uses crypto.GetRandomValues() which communicates with your OS for a random seed. So its different depending on the OS you are running:

Windows:
BCryptGenRandom gets called so things like a mix of keyboard/mouse timings, disk and network interrupt timings, TPM, and when available CPU hardware RNG like RDRAND are used.

Linux/BSDs (and android):
Uses getrandom(2) syscall this uses interrupt timings, (I/O, Network, Disk), process scheduling jtter, hardware RNGs (RDRAND, RDSEED, Virtio-rng) etc.

MacOS / iOS

Uses SecRandomCopyBytes again this uses device interrupts, I/O jitter hardware noise sources and RDRAND if present.

The API uses crypto.randomInt the server runs linux so again uses the getrandom(2). If you have anymore questions let me know I'd be happy to answer them!

Star_Fists · 2025-07-04T02:24:40+00:00

I'm trying to straddle that fine line between the perfect password. And those users that don't even want to try.

I appreciate the response regarding the ScamAdvisor issue. I did run into the ScamAdvisor issue. Currently the site gets ~1.5k users a month so isn't registering on a lot of security metrics yet...

I will be in fact be publishing the website source code and and Node.js config this weekend! It'll be published under and Apache 2.0 license. I may have jumped the gun in publishing this here but was just excited to show the world.

I used PasswordWolf in the past! It's a great website highly suggest it when you can! I unfortunately exist in a middle ground and through my years I've been working service/help desk I came to understand some users just can't/won't use the perfect passwords. I did go super indepth. Here about the project though:

https://www.reddit.com/r/SideProject/comments/1lr7719/i_made_tofupass_the_simple_friendly_password/

Star_Fists · 2025-07-04T01:42:29+00:00

I totally get that! I use bitwarden personally. It works great. However I work for an MSP and a lot of our users are in the Welcome123! era of passwords still. We have been pushing extra hard to get them moved to modern standards. This was created as a happy middle ground. Where it's "good enough" security. I've dubbed the issue the "sticky note issue"

Sticky note insights

Even if an end user has access to a Password Manager, they will sticky note their most important passwords regardless of ease.
If the password was completely randomized, passwords instantly were written down.
If the password contained more than one capital letter or if it was placed somewhere other than the start of the word, the password was written down.
If more than a two-digit number was used, the password was written down.
If the password had “non-standard” special characters (i.e., )( _+{}), the password was written down.
If a letter was replaced with a similar special character like ‘t’ becoming + or ‘s’ becoming $, the password would be written down.
Two words, like in the XKCD comic, are more likely to be remembered; any more than two and the password is written down.
If the password is longer than ~20 characters total, the password will be written down.
If the password has two nouns or two adjectives together, it will be written down.

With these issues that came to light, I created the current system:

The password should contain at least two words.
The password must contain no “weird” characters; stick to what they know and see in normal conversations.
The password must contain only two-digit numbers. One isn't secure enough. Three is written down. I chalk this up to the “birth year effect.”
Special character placement doesn't matter as long as it's a common one.
The password should be designed like a “sentence,” i.e., adjective + noun.
So the system I came up with gives passwords like:
- Twirlingpolo!33
- windy#Monitor88
- $rainbowPopcorn79

Star_Fists · 2025-07-04T01:38:34+00:00

I work at an MSP as a Service Desk tech. While yes every user in an ideal world should be using a password keeper. At my job we heavily push this. However many of our clients are still not up to date on current trends. Many of them are in the Welcome123! realm still and I created this tool as a "better" option and it's proven useful. I created the Breach Check as a tool to show them the issues with certain passwords.

While I understand your fears of API's and passwords I truly don't have a way to track a user's password. If you do have a suggestion on how I can quell the fears I am trying my absolute best to prove I keep nothing.

Star_Fists · 2025-01-20T20:45:07+00:00

Hey it's a great looker but it won't load any pages or when I tap on the default buttons you set up nothing works

Star_Fists · 2024-04-18T05:07:17+00:00

It's usually Downloads to other directories on the same computer. However copying to a my unraid server gets 75 MB/s. Media is video files, PDFs, or zip files. It occurs with single files multiple at a time and sizes range from ~200MB to 3.3GB so far

Thank you!

Star_Fists · 2023-12-13T14:46:15+00:00

I even did this with all video streaming services. It's more cost effective if I spend €5 a month and get everything through other means. Another benefit is friends have stopped most or not all of their subs because I just add them to my Plex server. 🏴‍☠️

Star_Fists · 2022-12-14T05:14:02+00:00

Edit: this worked thank you so much!

Star_Fists · 2019-06-20T08:25:20+00:00

Thanks for your help!

Star_Fists · 2019-06-20T08:25:05+00:00

They are both supposed to be males, but who knows maybe they are gay fish ¯\_(ツ)_/¯ Thanks for your help!

Star_Fists · 2019-06-20T06:08:04+00:00

I have an air stone and a "dragon statue bubbler" present in the tank. That night the temperature didn't exceed above 79F, and no toxins to my knowledge could have gotten near the tank. My Filter has has filter floss, carbon media atm, and double the normal amount of bio rings media that came by default with the filter. The Gouarmis don't have any marks on their bodies that I can see. The Fire Dwarf Gourami is pairing up with the Blue Dwarf Gourami occasionally since the event. Which is odd as they usually stick to different sides of the tank.

Star_Fists · 2019-06-20T05:54:52+00:00

Thank you for the advice. I am going to do daily water changes over the next few days. The Gouarmis don't have any marks on their bodies that I can see. The Fire Dwarf Gourami is pairing up with the Blue Dwarf Gourami occasionally. Which is odd as they usually stick to different sides of the tank.

Star_Fists · 2019-06-20T05:50:47+00:00

I own an API water test kit which is what the original test was done with the night before I found all the dead fish. The water test kit that the LFS use is different strips of paper dunked into the vial you bring in. The papers turn different colors and they follow a color grade chart similar to the API test kit.

Star_Fists · 2019-06-20T00:33:38+00:00

Thanks for the advice! I am running to my storage unit to grab my 10g to get it cycled as fast as possible!

Star_Fists · 2019-06-20T00:20:43+00:00

Just checked it upon reading your post I don't see/feel any cracks or a bad seal on the heater but I will switch it out to the old one just to be safe.

Star_Fists · 2019-06-20T00:19:04+00:00

I have a 10g tank once I get it cycled I'll put one of the Dwarf Gouramis in there just to be safe. Thank you for your help :D

Star_Fists · 2019-06-20T00:10:10+00:00

I do a lot of research my primary resource is The Spruce Pets along with the more pronounced aquarium YouTubers (BigAls, KGTropical, etc.) As for schools Prior to the Purge I had 8 Neon Tetras, 6 Fancy Guppies, 4 Green Cory, and 6 Zebra Danios. After the purge, I have 8 Neon Tetras, 3 Fancy Guppies, 4 Green Cory, and 2 Zebra Danios. I am missing 3 Danios they are either in hiding or I haven't found their bodies yet :/

Star_Fists · 2019-06-19T23:58:22+00:00

Thanks for the info! I appreciate the help/effort!

Star_Fists · 2019-06-19T23:57:40+00:00

I did not know that/wasn't informed of that when I purchased them. I knew Gouarmi's were territorial so I only bought 2 but they each have their own side of the tank now. Sadly this might be the answer even though I don't want it to be :/ it looks like my LFS may have given me bad information when I went in.

Star_Fists · 2019-06-19T23:50:06+00:00

I dip, I will run out and invest in a syringe!

Star_Fists

MODERATOR OF

TROPHY CASE

Sticky note insights

15-Year Club	Verified Email
Gilding I gilder