undefined | Better HN

0 pointspvg6y ago0 comments

Password managers and browsers themselves can generate passwords. Generating passwords with a website it a terrible idea, googling "password generator" and going to some random website is an even worse variant of the same idea.

0 comments

pabletec6y ago

this is not a random website, this is "the browxy" site

TheDong6y ago

I find it bizarre that you have exactly 3 comments in 5 years, all of which are on dbremmen's posts, who happens to be the creator of browxy [0].

Forgive me if I don't trust my password generation on the servers of someone who is either sock-puppeting, or having a friend do something that does not look all that different.

Even if I trust the person who runs the browxy website and servers, I don't trust my password generation to a multi-tenet environment. Browxy is running this code in docker containers on a machine with many other docker containers running arbitrary user-submitted code. The intel vulnerabilities over the past year or so have made it incredibly clear that running sensitive code on the same CPU as totally untrusted and possibly malicious code is a dangerous proposition and there are numerous potential side channels to exfiltrate data.

Trusting password generation to a website that generates passwords on a shared machine is even worse than the usual password generation website which at least uses javascript/securerandom to do it on my CPU.

[0]: https://news.ycombinator.com/item?id=11719439

oefrha6y ago

If you look at submissions of these two accounts it’s even worse.

j / k navigate · click thread line to collapse