This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.
Ultimately, it's more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture
I'm no cybersecurity expert. But couldn't they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?
edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.
DoH is good, but it wouldn't help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you're connecting to.
But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer's signing key if you check that.
all they need to do is get you to install a sketchy browser extension and then anytime you generate a password on ddg they've captured it. No man in the middle necessary. Unlike generating a pw with your pw manager, then inserting it with your pw manager or just typing it into the field (which shouldn't be accessible to extensions on any appropriately coded site).
This is probably ok. First of all, they're probably actually doing it in Javascript in the browser. It probably never travels over the network at all. And, if it did, with HTTPS it would be hard to intercept and decrypt except by a government or something.
But, it still gives me the willies to generate a password on a web page. Fundamentally a web browser is still a tool for sending and receiving data over the Internet, and that's not the kind of tool I'd want to be generating something that I don't want other people to know or see.
What happens if there's a bug? If the password is being generated in an app on my local system a badly designed app with a bug could maybe log my newly generated password in a local log file somewhere. If there's a bug in DuckDuckGo's javascript, who knows where that newly generated password might be logged?
That's fucked up, they should not do that. Even if they do it in a way that users are actually secure (maybe generating the password in the browser, nothing serverside?), it isn't good to train people to trust a website for this.
The difference in complexity in setting up bitwarden and using your own self-hosted instance of bitwarden is fucking massive. For 99.9% of people rhem using bitwarden would greatly improve their password security and bitwarden has proven to be better than the competition.
I got my non-gamer boomer neighbor on Bitwarden. It's not that complicated.
She's never had a job or hobby where she had to use a computer and she picked up "oh, I store all my passwords in this magic browser thing? That's way more convenient that remembering which kid's birthday was the password to my email." I also taught her how to copy and paste using the keyboard (and that you can remind yourself of what the shortcut is by right-clicking and looking at the shortcut hint in the menu).
I use KeePass. It's just a local file (which you can sync/host how you see fit if you need to). I don't understand why people choose to use password managers hosted by other people. You almost certainly don't need that, and it introduces issues and vulnerabilities with little upside.
You can type "qr url" and have it done in one step. However, unlike your two-step process that most likely just fetches results for the common "qr code" query from cache, this loads their servers unnecessarily. The same can be achieved in Firefox by bookmarking "https://qr.15c.me/qr.html#%s" (or a local copy of tiny-qr.html) and settting its keyword (not to be confused with tags) to "qr".
I think a lot of people turned against DDG when they started pushing their AI generated results really hard. Seems like DDG is going all in on AI. I have started paying for Waterfox's search engine myself, after using DDG exclusively for years.
If you have a password vault, use the vault first.
For rotating PC login credentials, I use codified passphrases. They typically meet security needs, are unique and nearly unguessable because it could be ANYTHING in your office, and don't contain dictionary words. Example:
Annual evaluations are due before summer. Be sure to mention the Grodsky project!
aeadB4S.Bs2mtGp.
Where did Julie's candy go? I ate it! She'll never know >:D
WdJcg?I8i!Snn>:D
Even if I had a perfectly secure connection, I'm still getting a password from a service that could be tracking me.
I didn't type this right in the first place, but it DOES bring up a point.
Substituting symbols for letters, we always called it leet speakโbut Wikipedia calls it mungedโused to be considered safe quite some time ago.
It's better not to use real words because it makes it easier for password cracking tools. If you have to, it is better to mung them, but also misspell them.
pY@zvvuD is much stronger than p@55w0rd, even if it is harder to remember. In the same vein, my bunged password would have been slightly more secure, even if someone had found my pass phrase. But in my case, my password sucked because I would have probably come back trying to put a k at the end. I have munged them like that in the past, but it is extra to remember.
Adding these symbols adds no security and just makes passwords harder to remember and type. If you dont use very common dictionary words, brute forcing will likely be just letter by letter
I want to be clear that what I'm about to say only refers to compromised systems where the password database has already been exfiltrated and systems that do not lock or otherwise slow down attackers.
A system where the passwords are inaccessible, requires periodic password changes, enforces complexity, and locks out invalid attempts probably is fine, but I'll get there.
A password cracking tool will typically start with lists of known passwords, then it will move on to dictionary words. If the attacker has any personal information, and the means to add it, they will give priority to that information. Phrases with multiple words are more likely, and will be tested next. These dictionary attacks are run first because on a fast enough system they can crack a password in weeks. Munging standard spelling increases the entropy here, increasing the number of attempts to guess a password.
From here, an attacker must start brute force, which tries to decipher your password one character at a time. Adding uppercase characters doubles the number of characters, but that is still super quick to crack. Adding numbers begins to increase the time, but all this is going to be checked within hours or days depending on the length of the password and the resources the attacker is committing.
Adding special characters significantly increases the amount of time because just the standard (33?) characters characters easily accessible on a common US Qwerty keyboard multiples the checks that many times, per each character in the password.
So, uncommonly misspelled words and sprinkled in characters increase the security of your accounts over just dictionary words. This would guard a person's reputation at work if anyone got their company's AD password file out without notice, as well as one's security if their browser's password store is compromised. Also, some people refuse to follow proper security for convenience, and it is sometimes possible to find a service that will allow rapid password attempts.
Ok I think I had a misconception about complexity. In case of brute forcing passwords, of course adding symbols helps.
I generally just use 5-6 passphrase words, which should be very safe as the wordlist is pretty long. But adding spelling errors or dialect is an amazing solution which I should add to all my new passphrase passwords
I just made a simple excel sheet. Downloaded a large dictionary that I cleaned up so the min word size is 4 I think. Then build some random rollers and built a 3 or 4 word password with some numbers and special characters between words. Generally the passwords are 20+ characters long.
From most of what Iโve read, password length makes the most difference in their strength.
So, the difference with no numbers and special characters is 52^20 (2x10^34) versus 95^20 (3.6x10^39). There are three reasons this runs into issues.
Pure math indicates that a 20 digit alpha only password with caps sprinkled in is slightly stronger than 12-13 digits of alphanumeric plus caps and specials.
Out of the various people within various organizations I have supported, people have disclosed their passwords to me a breathtaking number of times. It is quite common for people to create a password with only lower characters. That would be 4x10^27, about the same as 14 characters using the full qwerty set.
Either way, we are discussing a password cracking tool running locally attempting to hash your password. You do have a point that 12 thousand years is a very long time to arbitrarily guess a password. Unless something changes where someone can easily access ten thousand cores at a reasonable utility, you are pretty much safe from anyone except state level threats. That would be full time use of that many cores for 37 days at 10k cores, or 9 hours access to a million cores. We just aren't there yet. No clue if this would work better with GPU time, but that would still be a serious system.
Now, I am stepping into old lessons from 2011, and I can't find a great source to back myself up. If I'm wrong, then I have been operating off this misinformation for 15 years and I'd gladly appreciate better information.
The final issue is that since passwords are hashed in chunks, parts of the password could become visible while the rest is being worked on. This could lead to the attacker guessing the rest of the password.
That's great if you only have a couple of online accounts, but get past a few dozen and you're toast. I don't know about you, but I sure can't remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.
Passphrases are easier when you need to enter the password on a system that isn't logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.
Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because... it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is "a=@" or "every 'e' is a 'b'" and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and "one day we'll have quantum computers" but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you... at which point "hmm. 96 characters? Must be a pass phrase". So... not the venue to discuss.
But, at that point... if you are using a password manager/vault anyway...
Also the reality is that anyone who has ever dealt with a bank or some other "legacy" website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to "p@$$w0rd" level bullshit (or, better yet, you have a mental model/style of password).
That's what I'm thinking. Is it really so hard to just make up s random string of symbols? I do it all the time but use acronym type things to remember it.
Fun fact: You can generate a random UUID in your web browser without needing to visit a website. Just open your browser console and type crypto.randomUUID()
Like just generate an md5 hash, truncate it to whatever arbitrary number the shitty website decided is their password length limit, then store it in an encrypted db
Of course this is just a long way of reinventing keepass/1password/bitwarden/icloud keychain/etc
This seems like one picked up data packet away from being a bad idea. Am I overthinking this?
This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.
Ultimately, it's more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture
Are they sending data? I'm pretty sure this will just be generated on the client.
Yeah, I tested it. It's not a client side thing, it is part of the search page output.
oof
might as well send them feedback about that, ddg seems to actually give half a shit about users and it should be a very trivial thing to change.
I'm no cybersecurity expert. But couldn't they just sniff your traffic to see where you (your packets) go and test the pw on each login for the last hour?
edit: I guess they are using DuckDuckGo, which has a higher level of privacy design and limits.
This is why you should do DNS over HTTPS
DoH is good, but it wouldn't help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you're connecting to.
But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer's signing key if you check that.
all they need to do is get you to install a sketchy browser extension and then anytime you generate a password on ddg they've captured it. No man in the middle necessary. Unlike generating a pw with your pw manager, then inserting it with your pw manager or just typing it into the field (which shouldn't be accessible to extensions on any appropriately coded site).
You are not overthinking it. Exploiting this would be a bit more complex than capturing a packet on the wire, but it is possible.
If you intend to use a passphrase for anything important, it's best to generate it locally.
If you have to use this, generate multiple passwords and mix them
With https as protocol, picked up data packets won't do much harm.
But relying on anything but a local password manager is imho still a bad idea.
Yeah I think I'll just click an icon in my password manager instead.
There are certainly better ideas.
This is probably ok. First of all, they're probably actually doing it in Javascript in the browser. It probably never travels over the network at all. And, if it did, with HTTPS it would be hard to intercept and decrypt except by a government or something.
But, it still gives me the willies to generate a password on a web page. Fundamentally a web browser is still a tool for sending and receiving data over the Internet, and that's not the kind of tool I'd want to be generating something that I don't want other people to know or see.
What happens if there's a bug? If the password is being generated in an app on my local system a badly designed app with a bug could maybe log my newly generated password in a local log file somewhere. If there's a bug in DuckDuckGo's javascript, who knows where that newly generated password might be logged?
That's fucked up, they should not do that. Even if they do it in a way that users are actually secure (maybe generating the password in the browser, nothing serverside?), it isn't good to train people to trust a website for this.
I've started using https://neal.fun/password-game/ to generate passwords ๐
If you're going to auto generate passwords, just use BitWarden.
If you're going to use a password vault, use one you host yourself and not someone else's service.
The difference in complexity in setting up bitwarden and using your own self-hosted instance of bitwarden is fucking massive. For 99.9% of people rhem using bitwarden would greatly improve their password security and bitwarden has proven to be better than the competition.
FYI Vaultwarden is simpler and should be easier to self-host
Would love to set up Vaultwarden, but I trust my own skills in hardening a server less than Bitwardens
I don't even trust my server skills enough to open my jellyfin to the internet.
Lol, no. I don't trust myselft to keep it well maintained, up to date, nor available when it matters most.
Oh, thatโs fine; I've been wrong before, too.
Most people can not host it. Of those who can, many shouldn't host it, for their own safety.
Well thatโs some FUD nonsense to excuse laziness.
If you really think most people are up to it, you live in a bubble.
If you really think most people are up to using a password manager, you live in a bubble.
There's quite a difference in the required level of knowledge between installing an app and self-hosting services.
I got my non-gamer boomer neighbor on Bitwarden. It's not that complicated.
She's never had a job or hobby where she had to use a computer and she picked up "oh, I store all my passwords in this magic browser thing? That's way more convenient that remembering which kid's birthday was the password to my email." I also taught her how to copy and paste using the keyboard (and that you can remind yourself of what the shortcut is by right-clicking and looking at the shortcut hint in the menu).
You can host Bitwarden...
So you agree?
I think for most it's much easier to have a local file for passwords (keepass) and just sync that using whatever sync software you might be using.
I use KeePass. It's just a local file (which you can sync/host how you see fit if you need to). I don't understand why people choose to use password managers hosted by other people. You almost certainly don't need that, and it introduces issues and vulnerabilities with little upside.
I like the little tools like this that DuckDuckGo has. A couple others:
my favorite is "qr code" best and easiest qr code generator
Whoa, that one is great.
I like this as most qr generator websites make a link shortener kind of thing and put ads before my content.
Yeah I used it to convert my totp token to qr code. Works great
You can type "qr url" and have it done in one step. However, unlike your two-step process that most likely just fetches results for the common "qr code" query from cache, this loads their servers unnecessarily. The same can be achieved in Firefox by bookmarking "https://qr.15c.me/qr.html#%s" (or a local copy of tiny-qr.html) and settting its keyword (not to be confused with tags) to "qr".
Uuid
Oh cool, I didn't know about that one.
yeah
now tell me why are people hating it and putting codes on the comments
I think a lot of people turned against DDG when they started pushing their AI generated results really hard. Seems like DDG is going all in on AI. I have started paying for Waterfox's search engine myself, after using DDG exclusively for years.
They still offer an alternative on their
noaisubdomainOh nice, that's good to know about.
I also just remembered that there's html.duckduckgo.com as well, which also seems to leave out any AI features.
what do you mean? They don't have much AI stuff, and you can deactivate them.
hunter2
All I see is *******.
correct horse battery staple
I would definitely use those passwords! /s
Right! How good is the entropy?...
Your password manager does this too!
$ Openssl rand 16 | base64
today I learned. Thanks :)
Or just use your password manager. Where you save that password.
gasp what??
No thank you, KeepAssXC for me!
That isn't great from a security perspective
Ok but you should use passphrases. Better to type and remember in case you need to
There are instances where sites prevent copy-paste, or you are on another machine without your password manager available
If you have a password vault, use the vault first.
For rotating PC login credentials, I use codified passphrases. They typically meet security needs, are unique and nearly unguessable because it could be ANYTHING in your office, and don't contain dictionary words. Example:
Annual evaluations are due before summer. Be sure to mention the Grodsky project! aeadB4S.Bs2mtGp.
Where did Julie's candy go? I ate it! She'll never know >:D
WdJcg?I8i!Snn>:D
Even if I had a perfectly secure connection, I'm still getting a password from a service that could be tracking me.
WdJcg?I8i!Sn
nk>:DI didn't type this right in the first place, but it DOES bring up a point.
Substituting symbols for letters, we always called it leet speakโbut Wikipedia calls it mungedโused to be considered safe quite some time ago.
It's better not to use real words because it makes it easier for password cracking tools. If you have to, it is better to mung them, but also misspell them.
pY@zvvuD is much stronger than p@55w0rd, even if it is harder to remember. In the same vein, my bunged password would have been slightly more secure, even if someone had found my pass phrase. But in my case, my password sucked because I would have probably come back trying to put a k at the end. I have munged them like that in the past, but it is extra to remember.
Adding these symbols adds no security and just makes passwords harder to remember and type. If you dont use very common dictionary words, brute forcing will likely be just letter by letter
I want to be clear that what I'm about to say only refers to compromised systems where the password database has already been exfiltrated and systems that do not lock or otherwise slow down attackers.
A system where the passwords are inaccessible, requires periodic password changes, enforces complexity, and locks out invalid attempts probably is fine, but I'll get there.
A password cracking tool will typically start with lists of known passwords, then it will move on to dictionary words. If the attacker has any personal information, and the means to add it, they will give priority to that information. Phrases with multiple words are more likely, and will be tested next. These dictionary attacks are run first because on a fast enough system they can crack a password in weeks. Munging standard spelling increases the entropy here, increasing the number of attempts to guess a password.
From here, an attacker must start brute force, which tries to decipher your password one character at a time. Adding uppercase characters doubles the number of characters, but that is still super quick to crack. Adding numbers begins to increase the time, but all this is going to be checked within hours or days depending on the length of the password and the resources the attacker is committing.
Adding special characters significantly increases the amount of time because just the standard (33?) characters characters easily accessible on a common US Qwerty keyboard multiples the checks that many times, per each character in the password.
So, uncommonly misspelled words and sprinkled in characters increase the security of your accounts over just dictionary words. This would guard a person's reputation at work if anyone got their company's AD password file out without notice, as well as one's security if their browser's password store is compromised. Also, some people refuse to follow proper security for convenience, and it is sometimes possible to find a service that will allow rapid password attempts.
Ok I think I had a misconception about complexity. In case of brute forcing passwords, of course adding symbols helps.
I generally just use 5-6 passphrase words, which should be very safe as the wordlist is pretty long. But adding spelling errors or dialect is an amazing solution which I should add to all my new passphrase passwords
I just made a simple excel sheet. Downloaded a large dictionary that I cleaned up so the min word size is 4 I think. Then build some random rollers and built a 3 or 4 word password with some numbers and special characters between words. Generally the passwords are 20+ characters long.
From most of what Iโve read, password length makes the most difference in their strength.
So, the difference with no numbers and special characters is 52^20 (2x10^34) versus 95^20 (3.6x10^39). There are three reasons this runs into issues.
Pure math indicates that a 20 digit alpha only password with caps sprinkled in is slightly stronger than 12-13 digits of alphanumeric plus caps and specials.
Out of the various people within various organizations I have supported, people have disclosed their passwords to me a breathtaking number of times. It is quite common for people to create a password with only lower characters. That would be 4x10^27, about the same as 14 characters using the full qwerty set.
Either way, we are discussing a password cracking tool running locally attempting to hash your password. You do have a point that 12 thousand years is a very long time to arbitrarily guess a password. Unless something changes where someone can easily access ten thousand cores at a reasonable utility, you are pretty much safe from anyone except state level threats. That would be full time use of that many cores for 37 days at 10k cores, or 9 hours access to a million cores. We just aren't there yet. No clue if this would work better with GPU time, but that would still be a serious system.
Now, I am stepping into old lessons from 2011, and I can't find a great source to back myself up. If I'm wrong, then I have been operating off this misinformation for 15 years and I'd gladly appreciate better information.
The final issue is that since passwords are hashed in chunks, parts of the password could become visible while the rest is being worked on. This could lead to the attacker guessing the rest of the password.
That's great if you only have a couple of online accounts, but get past a few dozen and you're toast. I don't know about you, but I sure can't remember 50+ unique pass phrases. However, I can remember the one for my password manager, which has 30+ random character passwords for all my accounts.
Passphrases are easier when you need to enter the password on a system that isn't logged into your vault, even if they are longer. I usually default to 3 word passphrase + random number at the end of a word + random special character in the middle of a word.
You didnt read my comment
Pass phrases for things that need to be human readable/rememberable.
Generated strings for everything else.
Because a pass phrase is inherently vulnerable to a dictionary attack because... it is words. You can obfuscate that but all the ways that would actually not compromise the readability are also pretty well known (whether that is "a=@" or "every 'e' is a 'b'" and so forth.
Is a 96 character pass phrase meaningfully more vulnerable than a 16 character generated string? That gets into the realm of hypotheticals and "one day we'll have quantum computers" but you are generally looking at a situation where everything is fucked anyway or there is a very targeted attack on you... at which point "hmm. 96 characters? Must be a pass phrase". So... not the venue to discuss.
But, at that point... if you are using a password manager/vault anyway...
Also the reality is that anyone who has ever dealt with a bank or some other "legacy" website rapidly learns that there are max lengths for passwords because they are more afraid of allocating a few extra megabytes for the SQL database than anything else. At which point your pass phrase goes out the window and you are back to "p@$$w0rd" level bullshit (or, better yet, you have a mental model/style of password).
Passphrases everywhere, add dialect to make it harder, symbols if you like. Crazy but short passwords for limitations
typing passwords ๐ซฉ
Or just use a locally hosted password generator for one that isn't handfed to you by a for-profit company...
Alternatively, you can just roll your face on the keyboard and then take a screenshot of the resulting password to save it. ๐คทโโ๏ธ
That's what I'm thinking. Is it really so hard to just make up s random string of symbols? I do it all the time but use acronym type things to remember it.
$ pwgen -s -1 32
Short password please.
-"Penis"
Long password please
YourPen!sInMyHand
It can also generate UUIDs. Very useful.
pass --generate -c
You can also just use "random password x" with x being a number. What I use more often is "random uuid" which I hope is self explanatory.
Fun fact: You can generate a random UUID in your web browser without needing to visit a website. Just open your browser console and type
crypto.randomUUID()Stop putting crypto into everything!
(/jk)
this makes me want a little keychain device that generates a UUID and shows it as a QR code when you press a button
Why not local
Like just generate an md5 hash, truncate it to whatever arbitrary number the shitty website decided is their password length limit, then store it in an encrypted db
Of course this is just a long way of reinventing keepass/1password/bitwarden/icloud keychain/etc
If youโre already generating an md5 and truncating it (an md5 of what?), you might as well use pwgen.
I haven't in a while, but back when I generated passwords for users, I would use the openssl command.
An md5 of whatever string pops in your head at that moment. True randomness is a persons nonsequitors
This makes sense. I had no idea what tools existed because as mentioned many db solutions exist for this