> *Such a statement should be backed by proof, not by trust.* Just noting that "...

enriquto · 2024-03-13T13:53:45 1710338025

Is this some sort of argument from authority? I'm not accusing the author of anything.

But now that you mention him, the man was working at Bell labs during the time when Ken wrote his famous essay "reflections on trusting trust". If he shared just a small part of his colleague's spirit, it would be irresistible to him to log all passwords that thousands of people may decide to use. Mainly as a conversation starter, not to do anything bad with these passwords. Maybe he's gathering cool stories in case of a hypothetical Turing award in the future?

Hnrobert42 · 2024-03-13T14:11:19 1710339079

It is an argument from authority, but such a critique is less relevant in this context. This is not the examination of a logical argument.

GP was arguing that OP is trustworthy because he has a reputation to maintain.

throw0101d · 2024-03-13T15:03:31 1710342211

> GP was arguing that OP is trustworthy because he has a reputation to maintain.

I, the GP, is arguing nothing of the sort.

Hnrobert42 · 2024-03-14T12:41:38 1710420098

Then what was your point? Why else reference the author’s reputation?

TedDoesntTalk · 2024-03-13T16:19:32 1710346772

I'm very fortunate I do not live with your kind of paranoia.

Maskawanian · 2024-03-13T16:33:40 1710347620

Is it paranoia to have proper security practices? You should strive to be excellent in everything you do. I do not think that targeting the GP with an ad hominem attack is a valid argument.

blackmesaind · 2024-03-13T18:45:33 1710355533

The fact that you are using the internet means that you have implicit trust in much less trustworthy entities than a known security researcher.

That being said, there's no need to use 3rd party password generators, if you can make your own.

Maskawanian · 2024-03-13T20:41:13 1710362473

Ok sure, but you're moving the goalposts. The OP was talking specifically with respect to using a non client side password generator. As a joke it is funny, but only a fool would use a password generator that can't be audited and that may be logged.

TedDoesntTalk · 2024-03-13T22:39:51 1710369591

> only a fool would use a password generator that can't be audited and that may be logged.

Really?

1. It’s from a known-reliable source

2. Even if the password is stored, logged, broadcast around the world for billions to see, so what?

A. Source has no way to know if the user used the password anywhere or saved it

B. Source doesn’t know who the user is

C. Source doesn’t know in which website or resource the password was used.

So… I stand by my paranoia claim. I wouldn’t go so far as to call you foolish like you did me, but I’d say such a world view will not be a net gain for you over your lifetime. You’ll have difficulty delegating work. You’ll have major trust issues. Maybe you already do. But as they say, “you do you.”

usr1106 · 2024-03-14T07:51:02 1710402662

No need to make your own generator.

But being able to inspect (theoretically even audit) the source, building (if necessary) and running it locally in some container/sandbox without network connection would be minimum reqirements for me.

Kuraj · 2024-03-14T08:11:48 1710403908

I mean, I'll take it.

john-radio · 2024-03-13T15:59:11 1710345551

It's the long con!