• chicken@lemmy.dbzer0.comEnglish
    19·
    4 hours ago

    That’s fucked up, they should not do that. Even if they do it in a way that users are actually secure (maybe generating the password in the browser, nothing serverside?), it isn’t good to train people to trust a website for this.

  • TehBamski@lemmy.worldEnglish
    132·
    16 hours ago

    This seems like one picked up data packet away from being a bad idea. Am I overthinking this?

    • zergtoshi@lemmy.worldEnglish
      7·
      5 hours ago

      With https as protocol, picked up data packets won’t do much harm.
      But relying on anything but a local password manager is imho still a bad idea.

    • who@feddit.orgEnglish
      29·
      14 hours ago

      You are not overthinking it. Exploiting this would be a bit more complex than capturing a packet on the wire, but it is possible.

      If you intend to use a passphrase for anything important, it’s best to generate it locally.

    • Godort@lemmy.caEnglish
      623·
      16 hours ago

      This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.

      Ultimately, it’s more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture

      • warm@kbin.earth
        161·
        15 hours ago

        Are they sending data? I’m pretty sure this will just be generated on the client.

        • plz1@lemmy.worldEnglish
          381·
          14 hours ago

          Yeah, I tested it. It’s not a client side thing, it is part of the search page output.

      • TehBamski@lemmy.worldEnglish
        72·
        15 hours ago

        I’m no cybersecurity expert. But couldn’t they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?

        edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.

  • tuckerm@feddit.onlineEnglish
    38·
    14 hours ago

    I like the little tools like this that DuckDuckGo has. A couple others:

    • “color picker”
    • “base64 encode your_text_here” (and “base64 decode encoded_string_here” as well)
    • “json formatter”
    • Cethin@lemmy.zipEnglish
      31·
      5 hours ago

      I use KeePass. It’s just a local file (which you can sync/host how you see fit if you need to). I don’t understand why people choose to use password managers hosted by other people. You almost certainly don’t need that, and it introduces issues and vulnerabilities with little upside.

    • Telodzrum@lemmy.worldEnglish
      327·
      15 hours ago

      If you’re going to use a password vault, use one you host yourself and not someone else’s service.

      • Mark with a Z@suppo.fiEnglish
        4·
        3 hours ago

        Most people can not host it. Of those who can, many shouldn’t host it, for their own safety.

      • notarobot@lemmy.zipEnglish
        171·
        9 hours ago

        Lol, no. I don’t trust myselft to keep it well maintained, up to date, nor available when it matters most.

      • scintilla@crust.piefed.socialEnglish
        521·
        15 hours ago

        The difference in complexity in setting up bitwarden and using your own self-hosted instance of bitwarden is fucking massive. For 99.9% of people rhem using bitwarden would greatly improve their password security and bitwarden has proven to be better than the competition.

  • Ech@lemmy.caEnglish
    121·
    14 hours ago

    Or just use a locally hosted password generator for one that isn’t handfed to you by a for-profit company…

    • WhyIHateTheInternet@lemmy.worldEnglish
      6·
      14 hours ago

      That’s what I’m thinking. Is it really so hard to just make up s random string of symbols? I do it all the time but use acronym type things to remember it.

  • boredsquirrel@slrpnk.netEnglish
    182·
    1 hour ago

    Ok but you should use passphrases. Better to type and remember in case you need to

    There are instances where sites prevent copy-paste, or you are on another machine without your password manager available

    • SpikesOtherDog@ani.socialEnglish
      16·
      15 hours ago

      If you have a password vault, use the vault first.

      For rotating PC login credentials, I use codified passphrases. They typically meet security needs, are unique and nearly unguessable because it could be ANYTHING in your office, and don’t contain dictionary words. Example:

      Annual evaluations are due before summer. Be sure to mention the Grodsky project! aeadB4S.Bs2mtGp.

      Where did Julie’s candy go? I ate it! She’ll never know >:D

      WdJcg?I8i!Snn>:D

      Even if I had a perfectly secure connection, I’m still getting a password from a service that could be tracking me.

      • boredsquirrel@slrpnk.netEnglish
        1·
        1 hour ago

        Adding these symbols adds no security and just makes passwords harder to remember and type. If you dont use very common dictionary words, brute forcing will likely be just letter by letter

        • SpikesOtherDog@ani.socialEnglish
          3·
          11 hours ago

          I didn’t type this right in the first place, but it DOES bring up a point.

          Substituting symbols for letters, we always called it leet speak—but Wikipedia calls it munged—used to be considered safe quite some time ago.

          It’s better not to use real words because it makes it easier for password cracking tools. If you have to, it is better to mung them, but also misspell them.

          pY@zvvuD is much stronger than p@55w0rd, even if it is harder to remember. In the same vein, my bunged password would have been slightly more secure, even if someone had found my pass phrase. But in my case, my password sucked because I would have probably come back trying to put a k at the end. I have munged them like that in the past, but it is extra to remember.

    • Kernal64@sh.itjust.worksEnglish
      111·
      14 hours ago

      That’s great if you only have a couple of online accounts, but get past a few dozen and you’re toast. I don’t know about you, but I sure can’t remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.

      • doctordevice@lemmy.caEnglish
        3·
        10 hours ago

        Passphrases are easier when you need to enter the password on a system that isn’t logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.

    • NuXCOM_90Percent@lemmy.zipEnglish
      6·
      15 hours ago

      Pass phrases for things that need to be human readable/rememberable.

      Generated strings for everything else.

      Because a pass phrase is inherently vulnerable to a dictionary attack because… it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is “a=@” or “every ‘e’ is a ‘b’” and so forth.

      Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and “one day we’ll have quantum computers” but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you… at which point “hmm. 96 characters? Must be a pass phrase”. So… not the venue to discuss.

      But, at that point… if you are using a password manager/vault anyway…

      Also the reality is that anyone who has ever dealt with a bank or some other “legacy” website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to “p@$$w0rd” level bullshit (or, better yet, you have a mental model/style of password).