RedlinePass Generator

Inspiration

One of the most common ways attackers gain access to enterprise systems is through weak, reused, or easily compromised passwords. As user-based threats and credential attacks continue to grow, strong password security remains one of the simplest and cheapest yet most important line of defense. This project was inspired by the need to help users create secure, reliable passwords that reduce risk, strengthen account protection, and promote better security habits from the start.

What it does

The extension generates cryptographically secure passwords that is 100% local, customizable length, works completely offline, and uses the same randomness as HTTPS TLS certifications. It does NOT have ANY network requests, NO data collection, NO tracking, and we offer open source code.

How we built it

We built a vanilla extension: HTML, CSS, and JavaScript only, no bundler or framework. The popup UI includes mode switching (password vs passphrase), validation, copy-to-clipboard, and a racing-themed generate animation that respects prefers-reduced-motion. Passphrases use a bundled word list (passphrase-words.js) so the wordlist is never fetched at runtime. We kept the manifest minimal (zero permissions), used CSP appropriate for MV3, and documented packaging (e.g. zip for store submission) and privacy expectations in the repo README and privacy policy.

Challenges we ran into

UX vs security: Balancing a fun, on-brand UI (track theme, animation) with clarity, accessibility, and no extra attack surface. Passphrase UX: Supporting delimiters, optional suffixes, and count steppers without bloating the popup or relying on risky permissions. Accuracy vs marketing: Being precise about network use (fonts) while still promising local-only generation and no data collection. Publish readiness: Removing dead code (e.g. unused theme/storage paths), aligning privacy policy with real behavior, and making sure the store zip includes all assets (including the wordlist).

Accomplishments that we're proud of

True local generation with Web Crypto and zero extension permissions. Two modes: classic passwords and diceware-style passphrases with real customization (delimiters, suffixes, character count feedback). A distinctive, cohesive racing-inspired interface that still feels like a serious security tool. Transparent stack: plain files, auditable logic, and docs/README aimed at developers and store reviewers, not just end users.

What we learned

How MV3, CSP, and permission minimization shape what you can ship in the extension popup. That passphrase UX (words, separators, optional entropy bumps) matters as much as raw character length. That small projects still need accurate privacy language, especially when third-party fonts or future features could change assumptions. How much review and packaging discipline matters if the goal is real-world publish on Chrome Web Store or similar.