undefined | Better HN

0 pointsasdkhadsj6y ago0 comments

I'd imagine the risk is pretty great, for the same reason I wouldn't paste a password here that I use. Sure, you may not know who I am, but if you were the site itself you get a ton of information on me.. which is more than I'd like you to know if you _also_ know one of my passwords.

I agree, the risk is minimal. Nevertheless.. security, heh.

0 comments

3 comments · 1 top-level

mlyle6y ago· 2 in thread

The site doesn't know the password, though-- it's generated clientside.

beardedwizard6y ago

Will you be inspecting the code every single time it loads to ensure that has not changed? You are receiving this code from an untrusted 3rd party every time you visit. There is a big difference to trusting a known entity like lastpass, 1password, etc, all of whom are vulnerable to supply chain attacks. It is another thing entirely to trust a random website on hackernews.

Payload decoders and password generators are some of the biggest honeypots out there. Combining this with an attack taking advantage of hidden form autofill, you could gain quite a bit of information to go along with that password.

mlyle6y ago

If I were to use it, I'd probably just pull my own copy off github.

If I were to recommend novices to use it-- I'd tell them to use a password manager locally, and something like that to generate a secure password to get into their own machine locally / get into their password manager-- which mitigates most of the risk if it turns rogue.

1 more reply

j / k navigate · click thread line to collapse