Your password manager does this too!
No thank you, KeepAssXC for me!
$ Openssl rand 16 | base64
today I learned. Thanks :)
That’s fucked up, they should not do that. Even if they do it in a way that users are actually secure (maybe generating the password in the browser, nothing serverside?), it isn’t good to train people to trust a website for this.
I’ve started using https://neal.fun/password-game/ to generate passwords 😊
hunter2
correct horse battery staple
All I see is *******.
I would definitely use those passwords! /s
Right! How good is the entropy?..
$ pwgen -s -1 32
That isn’t great from a security perspective
This seems like one picked up data packet away from being a bad idea. Am I overthinking this?
With https as protocol, picked up data packets won’t do much harm.
But relying on anything but a local password manager is imho still a bad idea.Yeah I think I’ll just click an icon in my password manager instead.
This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.
Ultimately, it’s more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture
Are they sending data? I’m pretty sure this will just be generated on the client.
Yeah, I tested it. It’s not a client side thing, it is part of the search page output.
oof
I’m no cybersecurity expert. But couldn’t they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?
edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.
This is why you should do DNS over HTTPS
DoH is good, but it wouldn’t help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you’re connecting to.
But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer’s signing key if you check that.
You are not overthinking it. Exploiting this would be a bit more complex than capturing a packet on the wire, but it is possible.
If you intend to use a passphrase for anything important, it’s best to generate it locally.
If you have to use this, generate multiple passwords and mix them
There are certainly better ideas.
I like the little tools like this that DuckDuckGo has. A couple others:
- “color picker”
- “base64 encode your_text_here” (and “base64 decode encoded_string_here” as well)
- “json formatter”
my favorite is “qr code” best and easiest qr code generator
You can type “qr url” and have it done in one step. However, I prefer not to load their servers unnecessarily and the same can be achieved in Firefox by creating a bookmark to “https://qr.15c.me/tiny-qr.html#%s” (or a local copy of tiny-qr.html) and settting its keyword (not to be confused with tags) to “qr”.
I like this as most qr generator websites make a link shortener kind of thing and put ads before my content.
Yeah I used it to convert my totp token to qr code. Works great
Whoa, that one is great.
Uuid
Oh cool, I didn’t know about that one.
If you’re going to auto generate passwords, just use BitWarden.
I use KeePass. It’s just a local file (which you can sync/host how you see fit if you need to). I don’t understand why people choose to use password managers hosted by other people. You almost certainly don’t need that, and it introduces issues and vulnerabilities with little upside.
If you’re going to use a password vault, use one you host yourself and not someone else’s service.
Most people can not host it. Of those who can, many shouldn’t host it, for their own safety.
Well that’s some FUD nonsense to excuse laziness.
If you really think most people are up to it, you live in a bubble.
If you really think most people are up to using a password manager, you live in a bubble.
Lol, no. I don’t trust myselft to keep it well maintained, up to date, nor available when it matters most.
Oh, that’s fine; I’ve been wrong before, too.
The difference in complexity in setting up bitwarden and using your own self-hosted instance of bitwarden is fucking massive. For 99.9% of people rhem using bitwarden would greatly improve their password security and bitwarden has proven to be better than the competition.
FYI Vaultwarden is simpler and should be easier to self-host
Would love to set up Vaultwarden, but I trust my own skills in hardening a server less than Bitwardens
I don’t even trust my server skills enough to open my jellyfin to the internet.
You can host Bitwarden…
So you agree?
Or just use a locally hosted password generator for one that isn’t handfed to you by a for-profit company…
Alternatively, you can just roll your face on the keyboard and then take a screenshot of the resulting password to save it. 🤷♂️
That’s what I’m thinking. Is it really so hard to just make up s random string of symbols? I do it all the time but use acronym type things to remember it.
Ok but you should use passphrases. Better to type and remember in case you need to
There are instances where sites prevent copy-paste, or you are on another machine without your password manager available
typing passwords
If you have a password vault, use the vault first.
For rotating PC login credentials, I use codified passphrases. They typically meet security needs, are unique and nearly unguessable because it could be ANYTHING in your office, and don’t contain dictionary words. Example:
Annual evaluations are due before summer. Be sure to mention the Grodsky project! aeadB4S.Bs2mtGp.
Where did Julie’s candy go? I ate it! She’ll never know >:D
WdJcg?I8i!Snn>:D
Even if I had a perfectly secure connection, I’m still getting a password from a service that could be tracking me.
Adding these symbols adds no security and just makes passwords harder to remember and type. If you dont use very common dictionary words, brute forcing will likely be just letter by letter
I want to be clear that what I’m about to say only refers to compromised systems where the password database has already been exfiltrated and systems that do not lock or otherwise slow down attackers.
A system where the passwords are inaccessible, requires periodic password changes, enforces complexity, and locks out invalid attempts probably is fine, but I’ll get there.
A password cracking tool will typically start with lists of known passwords, then it will move on to dictionary words. If the attacker has any personal information, and the means to add it, they will give priority to that information. Phrases with multiple words are more likely, and will be tested next. These dictionary attacks are run first because on a fast enough system they can crack a password in weeks. Munging standard spelling increases the entropy here, increasing the number of attempts to guess a password.
From here, an attacker must start brute force, which tries to decipher your password one character at a time. Adding uppercase characters doubles the number of characters, but that is still super quick to crack. Adding numbers begins to increase the time, but all this is going to be checked within hours or days depending on the length of the password and the resources the attacker is committing.
Adding special characters significantly increases the amount of time because just the standard (33?) characters characters easily accessible on a common US Qwerty keyboard multiples the checks that many times, per each character in the password.
So, uncommonly misspelled words and sprinkled in characters increase the security of your accounts over just dictionary words. This would guard a person’s reputation at work if anyone got their company’s AD password file out without notice, as well as one’s security if their browser’s password store is compromised. Also, some people refuse to follow proper security for convenience, and it is sometimes possible to find a service that will allow rapid password attempts.
Ok I think I had a misconception about complexity. In case of brute forcing passwords, of course adding symbols helps.
I generally just use 5-6 passphrase words, which should be very safe as the wordlist is pretty long. But adding spelling errors or dialect is an amazing solution which I should add to all my new passphrase passwords
WdJcg?I8i!Sn
nk>:DI didn’t type this right in the first place, but it DOES bring up a point.
Substituting symbols for letters, we always called it leet speak—but Wikipedia calls it munged—used to be considered safe quite some time ago.
It’s better not to use real words because it makes it easier for password cracking tools. If you have to, it is better to mung them, but also misspell them.
pY@zvvuD is much stronger than p@55w0rd, even if it is harder to remember. In the same vein, my bunged password would have been slightly more secure, even if someone had found my pass phrase. But in my case, my password sucked because I would have probably come back trying to put a k at the end. I have munged them like that in the past, but it is extra to remember.
That’s great if you only have a couple of online accounts, but get past a few dozen and you’re toast. I don’t know about you, but I sure can’t remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.
You didnt read my comment
Passphrases are easier when you need to enter the password on a system that isn’t logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.
Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because… it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is “a=@” or “every ‘e’ is a ‘b’” and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and “one day we’ll have quantum computers” but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you… at which point “hmm. 96 characters? Must be a pass phrase”. So… not the venue to discuss.
But, at that point… if you are using a password manager/vault anyway…
Also the reality is that anyone who has ever dealt with a bank or some other “legacy” website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to “p@$$w0rd” level bullshit (or, better yet, you have a mental model/style of password).
Passphrases everywhere, add dialect to make it harder, symbols if you like. Crazy but short passwords for limitations
Short password please.
-“Penis”
Long password please
YourPen!sInMyHand
![TIL that if you search "Password generator, [x] characters, [y] strength" at DuckDuckGo, it will generate a password for you.](https://lemmy.world/pictrs/image/31a5b1e1-4330-4a27-aa88-cc47a25acb05.jpeg){kind=link}