Post AJBXmDPS1N91QNCLfk by jlapoutre@mastodon.online
(DIR) More posts by jlapoutre@mastodon.online
(DIR) Post #AJ8xdCLp0HBPB26OLw by atoponce@fosstodon.org
2022-05-05T13:38:32Z
0 likes, 1 repeats
Last but certainly not least, I audited hundreds of web-based password generators and tracked them all in a Google spreadsheet.I haven't given it much attention lately, mostly due to other priorities, but it's still relevant and worth checking out.https://docs.google.com/spreadsheets/d/1ucaqJ4U3X3nNEbAAa06igbBkITHaA98blftOwT8u0I4/edit?usp=sharing
(DIR) Post #AJ8zyCAJ5Zfmafr8Wu by wholesomedonut@fosstodon.org
2022-05-05T14:04:44Z
0 likes, 0 repeats
@atoponce I don’t think I see keepersecurity.org on there.They’re definitely worth checking out.. real cool multi layer encryption model that’s intended to be zero-knowledge. They’re doing a FEDRAMP cert. One of the only PWMs I know of that are even attempting to do so.I’d actually be turbo interested in your thoughts on that system if you ever get around to that.
(DIR) Post #AJ900hvpx6n5gyHmdM by wholesomedonut@fosstodon.org
2022-05-05T14:05:12Z
0 likes, 0 repeats
@atoponce @atoponce I don’t think I see keepersecurity.com on there.They’re definitely worth checking out.. real cool multi layer encryption model that’s intended to be zero-knowledge. They’re doing a FEDRAMP cert. One of the only PWMs I know of that are even attempting to do so.I’d actually be turbo interested in your thoughts on that system if you ever get around to that.
(DIR) Post #AJ90p1OjqsAGXonPCy by atoponce@fosstodon.org
2022-05-05T14:14:16Z
0 likes, 0 repeats
@wholesomedonut Note that I'm only auditing password *generators* not managers, and only those generators that can be executed in the browser.
(DIR) Post #AJ912m2ZkOH2y5zFaa by atoponce@fosstodon.org
2022-05-05T14:16:46Z
0 likes, 0 repeats
@wholesomedonut Note that I'm only auditing password *generators* not managers, and only those generators that can be executed in the browser.Also, I don't recommend Keeper Security. Not only is it non-free closed source proprietary software, but the company sends legal threats against security researchers:https://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/https://www.zdnet.com/article/password-manager-maker-keeper-hit-by-another-security-snafu/
(DIR) Post #AJ923rekSBekd2vSZU by davey@toot.wales
2022-05-05T14:28:10Z
0 likes, 0 repeats
@atoponce 👀 cool collection
(DIR) Post #AJ92GndOiZ6tv6ShoO by atoponce@fosstodon.org
2022-05-05T14:30:30Z
0 likes, 0 repeats
@davey Thanks!
(DIR) Post #AJ9elw4hBR91KfVKBk by jlapoutre@mastodon.online
2022-05-05T21:41:56Z
0 likes, 0 repeats
@atoponce cool collection, scary to find some “reputable” services ending so low (random.org!?). I missed the built-in tool from Firefox (aka Lockwise, the generator part). Any opinion about that?
(DIR) Post #AJBWnS4cszCXEvU1iq by atoponce@fosstodon.org
2022-05-06T19:22:00Z
0 likes, 0 repeats
@jlapoutre With Lockwise (now built-in to Firefox) being a password manager, I didn't audit it. The audit only covers password generators.
(DIR) Post #AJBXmDPS1N91QNCLfk by jlapoutre@mastodon.online
2022-05-06T19:32:57Z
0 likes, 0 repeats
@atoponce sure! But I mean the generate password feature which is part of it (even since the old days when it still was a stand alone app as well). Back then I seemed to notice a kind of pattern like very often starting with an underscore followed by a capital. Might be just real random off course…
(DIR) Post #AJBXyxgRni90PrE4qO by atoponce@fosstodon.org
2022-05-06T19:35:16Z
0 likes, 0 repeats
@jlapoutre I started the audit in 2018, about a full year before Firefox created the Lockwise project (2019). Now that Lockwise is baked into Firefox proper, I would need to dig into the Firefox source code.
(DIR) Post #AJBYCJbRcI7qA7Fm08 by jlapoutre@mastodon.online
2022-05-06T19:37:39Z
0 likes, 0 repeats
@atoponce no sorties, I was / am just curious (❤️ Mozilla and wish them all the best!)