• Godort@lemmy.caEnglish
      762·
      7 months ago

      This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.

      Ultimately, it’s more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture

      • warm@kbin.earth
        161·
        7 months ago

        Are they sending data? I’m pretty sure this will just be generated on the client.

      • 𝜯𝐞𝐡 𝜝𝐚𝐦𝐬𝐤𝐢@lemmy.worldEnglish
        82·
        7 months ago

        I’m no cybersecurity expert. But couldn’t they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?

        edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.

          • nef@slrpnk.netEnglish
            1·
            7 months ago

            DoH is good, but it wouldn’t help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you’re connecting to.

            But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer’s signing key if you check that.

            • snowe@programming.devEnglish
              1·
              7 months ago

              all they need to do is get you to install a sketchy browser extension and then anytime you generate a password on ddg they’ve captured it. No man in the middle necessary. Unlike generating a pw with your pw manager, then inserting it with your pw manager or just typing it into the field (which shouldn’t be accessible to extensions on any appropriately coded site).

    • zergtoshi@lemmy.worldEnglish
      16·
      7 months ago

      With https as protocol, picked up data packets won’t do much harm.
      But relying on anything but a local password manager is imho still a bad idea.

    • merc@sh.itjust.worksEnglish
      71·
      7 months ago

      This is probably ok. First of all, they’re probably actually doing it in Javascript in the browser. It probably never travels over the network at all. And, if it did, with HTTPS it would be hard to intercept and decrypt except by a government or something.

      But, it still gives me the willies to generate a password on a web page. Fundamentally a web browser is still a tool for sending and receiving data over the Internet, and that’s not the kind of tool I’d want to be generating something that I don’t want other people to know or see.

      What happens if there’s a bug? If the password is being generated in an app on my local system a badly designed app with a bug could maybe log my newly generated password in a local log file somewhere. If there’s a bug in DuckDuckGo’s javascript, who knows where that newly generated password might be logged?

    • Telodzrum@lemmy.worldEnglish
      2711·
      7 months ago

      If you’re going to use a password vault, use one you host yourself and not someone else’s service.

      • scintilla@crust.piefed.socialEnglish
        492·
        7 months ago

        The difference in complexity in setting up bitwarden and using your own self-hosted instance of bitwarden is fucking massive. For 99.9% of people rhem using bitwarden would greatly improve their password security and bitwarden has proven to be better than the competition.

      • notarobot@lemmy.zipEnglish
        191·
        7 months ago

        Lol, no. I don’t trust myselft to keep it well maintained, up to date, nor available when it matters most.

      • Mark with a Z@suppo.fiEnglish
        8·
        7 months ago

        Most people can not host it. Of those who can, many shouldn’t host it, for their own safety.

            • Telodzrum@lemmy.worldEnglish
              14·
              7 months ago

              If you really think most people are up to using a password manager, you live in a bubble.

              • Mark with a Z@suppo.fiEnglish
                6·
                7 months ago

                There’s quite a difference in the required level of knowledge between installing an app and self-hosting services.

              • smh@slrpnk.netEnglish
                4·
                7 months ago

                I got my non-gamer boomer neighbor on Bitwarden. It’s not that complicated.

                She’s never had a job or hobby where she had to use a computer and she picked up “oh, I store all my passwords in this magic browser thing? That’s way more convenient that remembering which kid’s birthday was the password to my email.” I also taught her how to copy and paste using the keyboard (and that you can remind yourself of what the shortcut is by right-clicking and looking at the shortcut hint in the menu).

      • RaivoKulli@sopuli.xyzEnglish
        1·
        7 months ago

        I think for most it’s much easier to have a local file for passwords (keepass) and just sync that using whatever sync software you might be using.

    • Cethin@lemmy.zipEnglish
      63·
      7 months ago

      I use KeePass. It’s just a local file (which you can sync/host how you see fit if you need to). I don’t understand why people choose to use password managers hosted by other people. You almost certainly don’t need that, and it introduces issues and vulnerabilities with little upside.

  • tuckerm@feddit.onlineEnglish
    35·
    7 months ago

    I like the little tools like this that DuckDuckGo has. A couple others:

    • “color picker”
    • “base64 encode your_text_here” (and “base64 decode encoded_string_here” as well)
    • “json formatter”
  • boredsquirrel (he)@slrpnk.netEnglish
    132·
    7 months ago

    Ok but you should use passphrases. Better to type and remember in case you need to

    There are instances where sites prevent copy-paste, or you are on another machine without your password manager available

    • Kernal64@sh.itjust.worksEnglish
      81·
      7 months ago

      That’s great if you only have a couple of online accounts, but get past a few dozen and you’re toast. I don’t know about you, but I sure can’t remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.

      • doctordevice@lemmy.caEnglish
        2·
        7 months ago

        Passphrases are easier when you need to enter the password on a system that isn’t logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.

    • NuXCOM_90Percent@lemmy.zipEnglish
      5·
      7 months ago

      Pass phrases for things that need to be human readable/rememberable.

      Generated strings for everything else.

      Because a pass phrase is inherently vulnerable to a dictionary attack because… it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is “a=@” or “every ‘e’ is a ‘b’” and so forth.

      Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and “one day we’ll have quantum computers” but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you… at which point “hmm. 96 characters? Must be a pass phrase”. So… not the venue to discuss.

      But, at that point… if you are using a password manager/vault anyway…

      Also the reality is that anyone who has ever dealt with a bank or some other “legacy” website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to “p@$$w0rd” level bullshit (or, better yet, you have a mental model/style of password).

  • Ech@lemmy.caEnglish
    111·
    7 months ago

    Or just use a locally hosted password generator for one that isn’t handfed to you by a for-profit company…

    • WhyIHateTheInternet@lemmy.worldEnglish
      7·
      7 months ago

      That’s what I’m thinking. Is it really so hard to just make up s random string of symbols? I do it all the time but use acronym type things to remember it.