pass --generate -c
Or just use your password manager. Where you save that password.
Your password manager does this too!
No thank you, KeepAssXC for me!
That’s fucked up, they should not do that. Even if they do it in a way that users are actually secure (maybe generating the password in the browser, nothing serverside?), it isn’t good to train people to trust a website for this.
I’ve started using https://neal.fun/password-game/ to generate passwords 😊
$ Openssl rand 16 | base64
today I learned. Thanks :)
hunter2
correct horse battery staple
All I see is *******.
You can also just use “random password x” with x being a number. What I use more often is “random uuid” which I hope is self explanatory.
Fun fact: You can generate a random UUID in your web browser without needing to visit a website. Just open your browser console and type
crypto.randomUUID()
I would definitely use those passwords! /s
Right! How good is the entropy?..
This seems like one picked up data packet away from being a bad idea. Am I overthinking this?
This is probably ok. First of all, they’re probably actually doing it in Javascript in the browser. It probably never travels over the network at all. And, if it did, with HTTPS it would be hard to intercept and decrypt except by a government or something.
But, it still gives me the willies to generate a password on a web page. Fundamentally a web browser is still a tool for sending and receiving data over the Internet, and that’s not the kind of tool I’d want to be generating something that I don’t want other people to know or see.
What happens if there’s a bug? If the password is being generated in an app on my local system a badly designed app with a bug could maybe log my newly generated password in a local log file somewhere. If there’s a bug in DuckDuckGo’s javascript, who knows where that newly generated password might be logged?
With https as protocol, picked up data packets won’t do much harm.
But relying on anything but a local password manager is imho still a bad idea.This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.
Ultimately, it’s more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture
Are they sending data? I’m pretty sure this will just be generated on the client.
Yeah, I tested it. It’s not a client side thing, it is part of the search page output.
oof
I’m no cybersecurity expert. But couldn’t they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?
edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.
This is why you should do DNS over HTTPS
DoH is good, but it wouldn’t help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you’re connecting to.
But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer’s signing key if you check that.
all they need to do is get you to install a sketchy browser extension and then anytime you generate a password on ddg they’ve captured it. No man in the middle necessary. Unlike generating a pw with your pw manager, then inserting it with your pw manager or just typing it into the field (which shouldn’t be accessible to extensions on any appropriately coded site).
Yeah I think I’ll just click an icon in my password manager instead.
You are not overthinking it. Exploiting this would be a bit more complex than capturing a packet on the wire, but it is possible.
If you intend to use a passphrase for anything important, it’s best to generate it locally.
If you have to use this, generate multiple passwords and mix them
There are certainly better ideas.
That isn’t great from a security perspective
$ pwgen -s -1 32
I like the little tools like this that DuckDuckGo has. A couple others:
- “color picker”
- “base64 encode your_text_here” (and “base64 decode encoded_string_here” as well)
- “json formatter”
yeah
now tell me why are people hating it and putting codes on the comments
I think a lot of people turned against DDG when they started pushing their AI generated results really hard. Seems like DDG is going all in on AI. I have started paying for Waterfox’s search engine myself, after using DDG exclusively for years.
They still offer an alternative on their
noaisubdomainOh nice, that’s good to know about.
I also just remembered that there’s html.duckduckgo.com as well, which also seems to leave out any AI features.
my favorite is “qr code” best and easiest qr code generator
I like this as most qr generator websites make a link shortener kind of thing and put ads before my content.
You can type “qr url” and have it done in one step. However, unlike your two-step process that most likely just fetches results for the common “qr code” query from cache, this loads their servers unnecessarily. The same can be achieved in Firefox by bookmarking “https://qr.15c.me/tiny-qr.html#%s” (or a local copy of tiny-qr.html) and settting its keyword (not to be confused with tags) to “qr”.
Whoa, that one is great.
Yeah I used it to convert my totp token to qr code. Works great
Uuid
Oh cool, I didn’t know about that one.
If you’re going to auto generate passwords, just use BitWarden.
If you’re going to use a password vault, use one you host yourself and not someone else’s service.
Most people can not host it. Of those who can, many shouldn’t host it, for their own safety.
Well that’s some FUD nonsense to excuse laziness.
If you really think most people are up to it, you live in a bubble.
If you really think most people are up to using a password manager, you live in a bubble.
I got my non-gamer boomer neighbor on Bitwarden. It’s not that complicated.
She’s never had a job or hobby where she had to use a computer and she picked up “oh, I store all my passwords in this magic browser thing? That’s way more convenient that remembering which kid’s birthday was the password to my email.” I also taught her how to copy and paste using the keyboard (and that you can remind yourself of what the shortcut is by right-clicking and looking at the shortcut hint in the menu).
There’s quite a difference in the required level of knowledge between installing an app and self-hosting services.
I think for most it’s much easier to have a local file for passwords (keepass) and just sync that using whatever sync software you might be using.
Lol, no. I don’t trust myselft to keep it well maintained, up to date, nor available when it matters most.
Oh, that’s fine; I’ve been wrong before, too.
The difference in complexity in setting up bitwarden and using your own self-hosted instance of bitwarden is fucking massive. For 99.9% of people rhem using bitwarden would greatly improve their password security and bitwarden has proven to be better than the competition.
FYI Vaultwarden is simpler and should be easier to self-host
Would love to set up Vaultwarden, but I trust my own skills in hardening a server less than Bitwardens
I don’t even trust my server skills enough to open my jellyfin to the internet.
You can host Bitwarden…
So you agree?
I use KeePass. It’s just a local file (which you can sync/host how you see fit if you need to). I don’t understand why people choose to use password managers hosted by other people. You almost certainly don’t need that, and it introduces issues and vulnerabilities with little upside.
Or just use a locally hosted password generator for one that isn’t handfed to you by a for-profit company…
![TIL that if you search "Password generator, [x] characters, [y] strength" at DuckDuckGo, it will generate a password for you.](https://lemmy.world/pictrs/image/31a5b1e1-4330-4a27-aa88-cc47a25acb05.jpeg){kind=link}