I’m no cybersecurity expert. But couldn’t they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?
edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.
DoH is good, but it wouldn’t help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you’re connecting to.
But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer’s signing key if you check that.
![TIL that if you search "Password generator, [x] characters, [y] strength" at DuckDuckGo, it will generate a password for you.](https://lemmy.world/pictrs/image/31a5b1e1-4330-4a27-aa88-cc47a25acb05.jpeg){kind=link}
I’m no cybersecurity expert. But couldn’t they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?
edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.
This is why you should do DNS over HTTPS
DoH is good, but it wouldn’t help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you’re connecting to.
But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer’s signing key if you check that.