> It's like coming across a key someone dropped on the road. You don't even know what it's for.
There's a lot of keys that are self-identifying, even real keys. My key has "Apartment Name, Apartment Number" engraved into the head, and searching the apartment name on google brings it up in the first 5 results.
Let's say you find the following plaintext on the network: "sk-xxx....". Do you know what it's for? What if it's AKIAIOSFODNN7EXAMPLE?
What if it's a list of words from the BIP-39 wordlist?
> Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
It only takes one person, and since this is HTTP traffic, not HTTPS, the number of people who can see it is huge. Everyone on your wifi (i.e. the whole coffeeshop, remember firesheep), your ISP, each router between your ISP and china, and so on.
I wouldn't be surprised if someone is scanning all traffic that they see for bitcoin private keys and BIP-39 phrases since both of those could lead to some significant financial gain.
Heck, back in the day in my college dorm I ran a wifi hotspot only to sniff plaintext traffic and poke around, since I had a less strong sense of morals, and I bet the kids these days are still doing that.
It's been a real lifesaver, whenever a guest loses the guest key it just ends up back in my mailbox eventually.
Also, like 80% of the hotels I've stayed at in the last year have the hotel name on the keycard, though admittedly they usually don't include the room number.
The remaining 20% had physical keys with keychain fobs that had the room number and often hotel name (typically japanese ryokans do this)
> OK, so you have the username and password. But what about where to use the credentials? Is that also copy-pasted from somewhere?
At least keepassxc has IIRC a field for the website, and a button to copy it to the clipboard, right next to the buttons to copy the username and password. It's a great way to make sure you're opening the correct site, and not a typosquatted counterfeit.
I use a unique email address with the + format for each service, like "me+kagi@email.com". Login with email reveals the service through the address.
And yes, I too usually copy-paste both the username and the password, one right after the other. I have often thought that it seems very risky, but good to learn that Wayland already prevents clipboard sniffing.
The reason copy+pasting is risky is it builds a habit where you're vulnerable to phishing sites.
Use the browser extension for your password manager, it auto-fills based on URL, so if you're on "kagii.com", it won't auto-fill and you'll notice something is off, but if you're on "kagi.com" it will.
Auto-filling vs copy+pasting is a security feature.
> It's like coming across a key someone dropped on the road. You don't even know what it's for.
There's a lot of keys that are self-identifying, even real keys. My key has "Apartment Name, Apartment Number" engraved into the head, and searching the apartment name on google brings it up in the first 5 results.
Let's say you find the following plaintext on the network: "sk-xxx....". Do you know what it's for? What if it's AKIAIOSFODNN7EXAMPLE?
What if it's a list of words from the BIP-39 wordlist?
> Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
It only takes one person, and since this is HTTP traffic, not HTTPS, the number of people who can see it is huge. Everyone on your wifi (i.e. the whole coffeeshop, remember firesheep), your ISP, each router between your ISP and china, and so on.
I wouldn't be surprised if someone is scanning all traffic that they see for bitcoin private keys and BIP-39 phrases since both of those could lead to some significant financial gain.
Heck, back in the day in my college dorm I ran a wifi hotspot only to sniff plaintext traffic and poke around, since I had a less strong sense of morals, and I bet the kids these days are still doing that.
> My key has "Apartment Name, Apartment Number" engraved into the head
Hotels learned not to do such silly things several decades ago.
I'm surprised that your building management lacks such obvious wisdom.
It's been a real lifesaver, whenever a guest loses the guest key it just ends up back in my mailbox eventually.
Also, like 80% of the hotels I've stayed at in the last year have the hotel name on the keycard, though admittedly they usually don't include the room number.
The remaining 20% had physical keys with keychain fobs that had the room number and often hotel name (typically japanese ryokans do this)
1 reply →
> OK, so you have the username and password. But what about where to use the credentials? Is that also copy-pasted from somewhere?
At least keepassxc has IIRC a field for the website, and a button to copy it to the clipboard, right next to the buttons to copy the username and password. It's a great way to make sure you're opening the correct site, and not a typosquatted counterfeit.
I use a unique email address with the + format for each service, like "me+kagi@email.com". Login with email reveals the service through the address.
And yes, I too usually copy-paste both the username and the password, one right after the other. I have often thought that it seems very risky, but good to learn that Wayland already prevents clipboard sniffing.
The reason copy+pasting is risky is it builds a habit where you're vulnerable to phishing sites.
Use the browser extension for your password manager, it auto-fills based on URL, so if you're on "kagii.com", it won't auto-fill and you'll notice something is off, but if you're on "kagi.com" it will.
Auto-filling vs copy+pasting is a security feature.
People reuse user names and passwords all the time.
It is also quite feasible to test a user+password combo on the most common websites.