MyCrypto uses the
window.crypto method which is a cryptographically secure pseudo-random number generator. It does not matter if you are online or offline.
A key will not be generated if this method is not supported by a particular implementation or if something fails during the initialization of the crypto method. In our opinion, it is more secure to generate a key using only this method instead of adding complexity and opening ourselves up to failures or half-failures by combining different methods of generating randomness. Especially with the range of browsers and operating systems today, running tests for every circumstance ever is serious undertaking.
This avoids situations (see: TrueCrypt) where you think you are happily RNG-ing away with proper entropy (e.g., using the Windows Crypto API and mouse movements) but since the Windows Crypto API actually didn't initialize, you're really only getting entropy from mouse movements. As the TrueCrypt audit stated, "When this happens, Truecrypt
should barf and catch fire. Instead it silently accepts this failure and continues to generate keys." We don't generate keys in that situation, because we avoid that situation entirely. No
window.crypto = no key generated.
Browsers (Chrome, Firefox, Edge) implement the specification for
window.crypto which partially relies on entropy for the OS.
As far as entropy on your system itself: it's no longer the case that a new computer has little or no entropy. That window has been vastly reduced to very specific times during boot where there is no system activity or the entropy sources are completely unavailable. This obviously doesn't apply here as you have already booted AND already opened your browser. In addition, as described in the specification: "these sources should be used to seed a cryptographic pseudo-random number generator that can then return suitable values efficiently".
getrandom(if available) or
/dev/urandom(older Linux kernels)
arc4random_buf()with ChaCha20 (not RC4)
The good news is is that we're relying on things that really really smart groups of people to build and maintain how our keys are generated. There are glorious amount of specs (and even specs about testing those specs). The bad news is...if something in the above fail spectacularly, your insecurely generated ETH wallet is going to be the least of the world's issues.
Didn't find what you were looking for? Contact Us
MyCrypto is an open-source tool that allows you to manage your Ethereum accounts privately and securely. Developed by and for the community since 2015, we’re focused on building awesome products that put the power in people’s hands.
Subscribe to MyCrypto
Get updates from MyCrypto straight to your inbox!