Comment by userbinator

> It's like coming across a key someone dropped on the road. You don't even know what it's for.

There's a lot of keys that are self-identifying, even real keys. My key has "Apartment Name, Apartment Number" engraved into the head, and searching the apartment name on google brings it up in the first 5 results.

Let's say you find the following plaintext on the network: "sk-xxx....". Do you know what it's for? What if it's AKIAIOSFODNN7EXAMPLE?

What if it's a list of words from the BIP-39 wordlist?

> Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.

It only takes one person, and since this is HTTP traffic, not HTTPS, the number of people who can see it is huge. Everyone on your wifi (i.e. the whole coffeeshop, remember firesheep), your ISP, each router between your ISP and china, and so on.

I wouldn't be surprised if someone is scanning all traffic that they see for bitcoin private keys and BIP-39 phrases since both of those could lead to some significant financial gain.

Heck, back in the day in my college dorm I ran a wifi hotspot only to sniff plaintext traffic and poke around, since I had a less strong sense of morals, and I bet the kids these days are still doing that.

People reuse user names and passwords all the time.

It is also quite feasible to test a user+password combo on the most common websites.

I use a unique email address with the + format for each service, like "me+kagi@email.com". Login with email reveals the service through the address.

And yes, I too usually copy-paste both the username and the password, one right after the other. I have often thought that it seems very risky, but good to learn that Wayland already prevents clipboard sniffing.