← Back to context

Comment by 01HNNWZ0MV43FF

2 days ago

> a password is worth something only to those who know what the password is for

I also copy-paste my username from KeePass, so you'd pretty quickly get everything

9 comments

01HNNWZ0MV43FF

Reply
userbinator  2 days ago

[flagged]

  • TheDong  2 days ago

    > It's like coming across a key someone dropped on the road. You don't even know what it's for.

    There's a lot of keys that are self-identifying, even real keys. My key has "Apartment Name, Apartment Number" engraved into the head, and searching the apartment name on google brings it up in the first 5 results.

    Let's say you find the following plaintext on the network: "sk-xxx....". Do you know what it's for? What if it's AKIAIOSFODNN7EXAMPLE?

    What if it's a list of words from the BIP-39 wordlist?

    > Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.

    It only takes one person, and since this is HTTP traffic, not HTTPS, the number of people who can see it is huge. Everyone on your wifi (i.e. the whole coffeeshop, remember firesheep), your ISP, each router between your ISP and china, and so on.

    I wouldn't be surprised if someone is scanning all traffic that they see for bitcoin private keys and BIP-39 phrases since both of those could lead to some significant financial gain.

    Heck, back in the day in my college dorm I ran a wifi hotspot only to sniff plaintext traffic and poke around, since I had a less strong sense of morals, and I bet the kids these days are still doing that.

    • quesera  2 days ago

      > My key has "Apartment Name, Apartment Number" engraved into the head

      Hotels learned not to do such silly things several decades ago.

      I'm surprised that your building management lacks such obvious wisdom.

      2 replies →

  • cesarb  1 day ago

    > OK, so you have the username and password. But what about where to use the credentials? Is that also copy-pasted from somewhere?

    At least keepassxc has IIRC a field for the website, and a button to copy it to the clipboard, right next to the buttons to copy the username and password. It's a great way to make sure you're opening the correct site, and not a typosquatted counterfeit.

  • distances  2 days ago

    I use a unique email address with the + format for each service, like "me+kagi@email.com". Login with email reveals the service through the address.

    And yes, I too usually copy-paste both the username and the password, one right after the other. I have often thought that it seems very risky, but good to learn that Wayland already prevents clipboard sniffing.

    • TheDong  12 hours ago

      The reason copy+pasting is risky is it builds a habit where you're vulnerable to phishing sites.

      Use the browser extension for your password manager, it auto-fills based on URL, so if you're on "kagii.com", it won't auto-fill and you'll notice something is off, but if you're on "kagi.com" it will.

      Auto-filling vs copy+pasting is a security feature.

  • account42  2 days ago

    People reuse user names and passwords all the time.

    It is also quite feasible to test a user+password combo on the most common websites.