• chicken@lemmy.dbzer0.comEnglish
    522·
    1 day ago

    That’s fucked up, they should not do that. Even if they do it in a way that users are actually secure (maybe generating the password in the browser, nothing serverside?), it isn’t good to train people to trust a website for this.

  • TehBamski@lemmy.worldEnglish
    172·
    2 days ago

    This seems like one picked up data packet away from being a bad idea. Am I overthinking this?

    • merc@sh.itjust.worksEnglish
      71·
      22 hours ago

      This is probably ok. First of all, they’re probably actually doing it in Javascript in the browser. It probably never travels over the network at all. And, if it did, with HTTPS it would be hard to intercept and decrypt except by a government or something.

      But, it still gives me the willies to generate a password on a web page. Fundamentally a web browser is still a tool for sending and receiving data over the Internet, and that’s not the kind of tool I’d want to be generating something that I don’t want other people to know or see.

      What happens if there’s a bug? If the password is being generated in an app on my local system a badly designed app with a bug could maybe log my newly generated password in a local log file somewhere. If there’s a bug in DuckDuckGo’s javascript, who knows where that newly generated password might be logged?

    • zergtoshi@lemmy.worldEnglish
      19·
      1 day ago

      With https as protocol, picked up data packets won’t do much harm.
      But relying on anything but a local password manager is imho still a bad idea.

    • Godort@lemmy.caEnglish
      863·
      2 days ago

      This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.

      Ultimately, it’s more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture

      • warm@kbin.earth
        201·
        2 days ago

        Are they sending data? I’m pretty sure this will just be generated on the client.

      • TehBamski@lemmy.worldEnglish
        92·
        2 days ago

        I’m no cybersecurity expert. But couldn’t they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?

        edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.

          • nef@slrpnk.netEnglish
            1·
            1 day ago

            DoH is good, but it wouldn’t help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you’re connecting to.

            But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer’s signing key if you check that.

            • snowe@programming.devEnglish
              1·
              11 hours ago

              all they need to do is get you to install a sketchy browser extension and then anytime you generate a password on ddg they’ve captured it. No man in the middle necessary. Unlike generating a pw with your pw manager, then inserting it with your pw manager or just typing it into the field (which shouldn’t be accessible to extensions on any appropriately coded site).

    • who@feddit.orgEnglish
      33·
      2 days ago

      You are not overthinking it. Exploiting this would be a bit more complex than capturing a packet on the wire, but it is possible.

      If you intend to use a passphrase for anything important, it’s best to generate it locally.

  • state_electrician@discuss.tchncs.deEnglish
    2·
    21 hours ago

    You can also just use “random password x” with x being a number. What I use more often is “random uuid” which I hope is self explanatory.

  • tuckerm@feddit.onlineEnglish
    43·
    2 days ago

    I like the little tools like this that DuckDuckGo has. A couple others:

    • “color picker”
    • “base64 encode your_text_here” (and “base64 decode encoded_string_here” as well)
    • “json formatter”
    • Telodzrum@lemmy.worldEnglish
      3414·
      2 days ago

      If you’re going to use a password vault, use one you host yourself and not someone else’s service.

            • Telodzrum@lemmy.worldEnglish
              14·
              23 hours ago

              If you really think most people are up to using a password manager, you live in a bubble.

              • smh@slrpnk.netEnglish
                4·
                20 hours ago

                I got my non-gamer boomer neighbor on Bitwarden. It’s not that complicated.

                She’s never had a job or hobby where she had to use a computer and she picked up “oh, I store all my passwords in this magic browser thing? That’s way more convenient that remembering which kid’s birthday was the password to my email.” I also taught her how to copy and paste using the keyboard (and that you can remind yourself of what the shortcut is by right-clicking and looking at the shortcut hint in the menu).

              • Mark with a Z@suppo.fiEnglish
                6·
                22 hours ago

                There’s quite a difference in the required level of knowledge between installing an app and self-hosting services.

      • notarobot@lemmy.zipEnglish
        241·
        1 day ago

        Lol, no. I don’t trust myselft to keep it well maintained, up to date, nor available when it matters most.

      • scintilla@crust.piefed.socialEnglish
        601·
        2 days ago

        The difference in complexity in setting up bitwarden and using your own self-hosted instance of bitwarden is fucking massive. For 99.9% of people rhem using bitwarden would greatly improve their password security and bitwarden has proven to be better than the competition.

      • RaivoKulli@sopuli.xyzEnglish
        1·
        21 hours ago

        I think for most it’s much easier to have a local file for passwords (keepass) and just sync that using whatever sync software you might be using.

    • Cethin@lemmy.zipEnglish
      63·
      1 day ago

      I use KeePass. It’s just a local file (which you can sync/host how you see fit if you need to). I don’t understand why people choose to use password managers hosted by other people. You almost certainly don’t need that, and it introduces issues and vulnerabilities with little upside.

  • Ech@lemmy.caEnglish
    151·
    2 days ago

    Or just use a locally hosted password generator for one that isn’t handfed to you by a for-profit company…