Advice Request Should you let free online password generators create your passwords?

Please provide comments and solutions that are helpful to the author of this topic.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Using Windscribe.com to create a new VPN account, and saw this option in the Choose Password field.

As the password is being generated behind-the-scenes from the website (no info about it) and not from my own keyboard / password manager, how unsafe is this?

Screenshot 2023-02-06 at 16.13.41.png
 

Bumblebee Uncle

Level 3
Well-known
Mar 15, 2022
108
Oh I am so sorry! Brain is sleepy I guess! I am not sure if I understand the question correctly on password being generated behind the scenes.

The website is generating its own password or are you using a password manager? I can try and reproduce the issue if I understand correctly. Should I try and create an account at Windscribe too to see if this happens for me? Sorry cannot be much use without understanding properly and apologies for missing your question initially.
 
  • Like
Reactions: Dave Russo
F

ForgottenSeer 98186

As the password is being generated behind-the-scenes from the website (no info about it) and not from my own keyboard / password manager, how unsafe is this?
Bitwarden support:

"For the [Bitwarden] extension, that information [generated password] is generated in the browser, but isolated in memory to the same extent that any other extension would be on a given browser.

If you use our web vault [bitwarden.com], the generation would take place within the memory allocated to that [web]page so that would, in practice, being generated by the browser as well.

For the desktop app, the password is generated on the local system within the memory allocated by the operating system to the application.

Same applies on a mobile phone."
 

Thigas

Level 1
Feb 4, 2023
10
Usually the password is generated locally, it's not a server-sided process.

As peterfat11 said, maaaybe some 3rd party service can log it somehow, but in my opinion there is no need to be too skeptical about it.
 
  • Like
Reactions: Dave Russo

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
How much do you trust the website that generates passwords? Do you trust they are not logging password generation on their website? The same goes for password managers in built generators and password creation apps like PWTech, if your machine has malware or a backdoor, you're in trouble. You really have to trust the website or know your machine is 100% clean to be 100% sure it's safe.

To be honest if it was me, I would target online password generators and in app generators and log everything every user inputs/outputs, it's prime territory for good creds and make your job as an attacker easier.
 
F

ForgottenSeer 98186

How much do you trust the website that generates passwords? Do you trust they are not logging password generation on their website? The same goes for password managers in built generators and password creation apps like PWTech, if your machine has malware or a backdoor, you're in trouble. You really have to trust the website or know your machine is 100% clean to be 100% sure it's safe.

To be honest if it was me, I would target online password generators and in app generators and log everything every user inputs/outputs, it's prime territory for good creds and make your job as an attacker easier.
# This short PowerShell function will generate a password of $length and use non-alphanumeric symbols in the amount of $amountOfNonAlphanumeric # Copy-paste the function below into a Windows PowerShell (powershell.exe) console, then enter "Get-RandomPassword <length> <# of alphanumeric symbols> # # Syntax and Example: # # Get-RandomPassword <length> <# of alphanumeric symbols> # Get-RandomPassword 10 5 # # Output: ]a].{2wX[V function Get-RandomPassword { param ( [Parameter(Mandatory)] [int] $length, [int] $amountOfNonAlphanumeric = 1 ) Add-Type -AssemblyName 'System.Web' return [System.Web.Security.Membership]::GeneratePassword($length, $amountOfNonAlphanumeric) }
 

dinosaur07

Level 12
Verified
Top Poster
Well-known
Aug 5, 2012
572
It is about trust and info disclosure.
Still, I found it unsafe as we don't know for sure if they log the passwords generated or not and also if they're using a 3rd party provider that logs or not the passwords.
In fact, theoretically it's better to use your own password but still we don't know for sure if Windscribe log it so it could be the same thing, whether you're using your own password, generated by a PM or not or the one generated by them.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
How much do you trust the website that generates passwords? Do you trust they are not logging password generation on their website? The same goes for password managers in built generators and password creation apps like PWTech, if your machine has malware or a backdoor, you're in trouble. You really have to trust the website or know your machine is 100% clean to be 100% sure it's safe.

To be honest if it was me, I would target online password generators and in app generators and log everything every user inputs/outputs, it's prime territory for good creds and make your job as an attacker easier.
True as trust still matters for a majority of common home users, and one site I can recommend that even try to explains it as the developer understand that people has question about it, is Steve Gibsons:

On the other hand, attack weak sites or any sites online password generators to get access to " secret " passwords, and without the other crucial keypart: the username, is more of an hassle then it's worth it, and extra since good and fully working credentials ( username + password ) is nowadays easy to get access elsewhere and with much less work and effort.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
On the other hand, attack weak sites or any sites online password generators to get access to " secret " passwords, and without the other crucial keypart: the username, is more of an hassle then it's worth it
Yeah, but if you're going to the trouble of stealing random generated passwords on a website or a password app I think you would have a pretty good clue who you're after and attacking them is no problem, or your already on the machine and can easily get a username or with enough recon have a list of probable usernames. Plus, I imagine when you copy the password it's in plain text and then probably copied to the clipboard again in plain text.
 

markstitovits

Level 2
Sep 13, 2022
54
It depends,
If it generates it locally then it's completely safe, If it's being generated on the internet and being sent across to your device then it's unsafe. I recommend you generate your password with a password manager, that way you can make sure it's generated on your device.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Hmm, I don't think it's possible for an average end-user to know, unless there has been some disclosure, even from a whistleblower. I mean the host of the site, if it's sketchy, certainly isn't going to let on that it's "unsafe" in any way.

I used 1Password's site to generate some random ones which I then altered offline and stored on my offline HDD. The site doesn't look as nicely as the one in OP but OK, whatever. uBlock Origin blocked only one domain and let the other two go, one with a "yellow" iffy mark. I guess at some point you have to say: I will take the chance. So far so good.

1password snip.png
 

mkoundo

Level 8
Verified
Well-known
Jul 21, 2017
358

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
625
Using Windscribe.com to create a new VPN account, and saw this option in the Choose Password field.

As the password is being generated behind-the-scenes from the website (no info about it) and not from my own keyboard / password manager, how unsafe is this?

View attachment 272701


Try generating password from a different provider for example Norton Password Generator so that you no longer feel concerned...
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Oh I am so sorry! Brain is sleepy I guess! I am not sure if I understand the question correctly on password being generated behind the scenes.

The website is generating its own password or are you using a password manager? I can try and reproduce the issue if I understand correctly. Should I try and create an account at Windscribe too to see if this happens for me? Sorry cannot be much use without understanding properly and apologies for missing your question initially.
It might be easier to explain by visiting the website: Windscribe.com/signup
 

jerzy601

Level 20
Verified
Top Poster
Well-known
Jun 20, 2011
997
I rather try to force my own passwords
I don't use machine-generated passwords because I'm not sure what's going on on the other side of the site.
 
  • Like
Reactions: ng4ever

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,315
Using an online password generator to create a password can be safe as long as you use a reputable and trustworthy website that implements secure encryption methods. Windscribe.com, for instance, uses a strong encryption algorithm to generate passwords, which makes it difficult for cybercriminals to guess or crack them.

However, it's important to note that the security of your password also depends on other factors such as the strength and complexity of the password, as well as your ability to keep it confidential and protect it from unauthorized access.

To ensure additional security, you may want to consider using a password manager to store and manage your passwords. This way, you can generate unique and complex passwords for all your online accounts without the need to memorize them all. Just make sure to use a reputable and trusted password manager that uses strong encryption methods to protect your sensitive data.
 
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top