this post was submitted on 04 Oct 2025

299 points (93.6% liked)

Today I Learned

25135 readers

786 users here now

What did you learn today? Share it with us!

We learn something new every day. This is a community dedicated to informing each other and helping to spread knowledge.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must begin with TIL. Linking to a source of info is optional, but highly recommended as it helps to spark discussion.

** Posts must be about an actual fact that you have learned, but it doesn't matter if you learned it today. See Rule 6 for all exceptions.**

Rule 2- Your post subject cannot be illegal or NSFW material.

Your post subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding non-TIL posts.

Provided it is about the community itself, you may post non-TIL posts using the [META] tag on your post title.

Rule 7- You can't harass or disturb other members.

If you vocally harass or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.

Partnered Communities

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

founded 2 years ago

MODERATORS

Rooki@lemmy.world

_MoveSwiftly@lemmy.world

Thekingoflorda@lemmy.world

DriftingDeep@lemmy.world

ericisshort@lemmy.world

Decoy321@lemmy.world

299

TIL that if you search "Password generator, [x] characters, [y] strength" at DuckDuckGo, it will generate a password for you. (infosec.pub)

submitted 1 day ago by MeowerMisfit817@lemmy.world to c/til@lemmy.world

84 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[–] jlow@discuss.tchncs.de 4 points 5 hours ago

Or just use your password manager. Where you save that password.

[–] MangoPenguin@lemmy.blahaj.zone 21 points 11 hours ago

Your password manager does this too!

[–] state_electrician@discuss.tchncs.de 2 points 7 hours ago

You can also just use "random password x" with x being a number. What I use more often is "random uuid" which I hope is self explanatory.

[–] ArcaneSlime@lemmy.dbzer0.com 16 points 13 hours ago

No thank you, KeepAssXC for me!

[–] kSPvhmTOlwvMd7Y7E@lemmy.world 23 points 15 hours ago (1 children)

$ Openssl rand 16 | base64

[–] raspberriesareyummy@lemmy.world 4 points 14 hours ago

today I learned. Thanks :)

[–] chicken@lemmy.dbzer0.com 39 points 16 hours ago* (last edited 16 hours ago) (1 children)

That's fucked up, they should not do that. Even if they do it in a way that users are actually secure (maybe generating the password in the browser, nothing serverside?), it isn't good to train people to trust a website for this.

[–] JennyLaFae@lemmy.blahaj.zone 26 points 16 hours ago

I've started using https://neal.fun/password-game/ to generate passwords 😊

[–] hakunawazo@lemmy.world 27 points 17 hours ago (1 children)

hunter2

[–] raspberriesareyummy@lemmy.world 12 points 13 hours ago

correct horse battery staple

[–] aesthelete@lemmy.world 30 points 19 hours ago (1 children)

I would definitely use those passwords! /s

load more comments (1 replies)

[–] possiblylinux127@lemmy.zip 18 points 20 hours ago

That isn't great from a security perspective

[–] sysop@lemmy.world 9 points 17 hours ago

$ pwgen -s -1 32

[–] TehBamski@lemmy.world 154 points 1 day ago (6 children)

This seems like one picked up data packet away from being a bad idea. Am I overthinking this?

[–] merc@sh.itjust.works 1 points 7 hours ago

This is probably ok. First of all, they're probably actually doing it in Javascript in the browser. It probably never travels over the network at all. And, if it did, with HTTPS it would be hard to intercept and decrypt except by a government or something.

But, it still gives me the willies to generate a password on a web page. Fundamentally a web browser is still a tool for sending and receiving data over the Internet, and that's not the kind of tool I'd want to be generating something that I don't want other people to know or see.

What happens if there's a bug? If the password is being generated in an app on my local system a badly designed app with a bug could maybe log my newly generated password in a local log file somewhere. If there's a bug in DuckDuckGo's javascript, who knows where that newly generated password might be logged?

[–] zergtoshi@lemmy.world 16 points 17 hours ago

With https as protocol, picked up data packets won't do much harm.
But relying on anything but a local password manager is imho still a bad idea.

[–] Sir_Kevin@lemmy.dbzer0.com 17 points 21 hours ago

Yeah I think I'll just click an icon in my password manager instead.

[–] Godort@lemmy.ca 77 points 1 day ago (6 children)

This is probably fine. The connection to DDG will be over HTTPS, so a captured packet would need to be decoded first. And if someone were to manage to break the encryption, then they would also need to know what service you used the password for.

Ultimately, it's more secure to generate locally, but it would be a huge amount of work to get anything usable out of a packet capture

load more comments (6 replies)

[–] who@feddit.org 30 points 1 day ago (1 children)

You are not overthinking it. Exploiting this would be a bit more complex than capturing a packet on the wire, but it is possible.

If you intend to use a passphrase for anything important, it's best to generate it locally.

load more comments (1 replies)

[–] tuckerm@feddit.online 41 points 1 day ago (4 children)

I like the little tools like this that DuckDuckGo has. A couple others:

"color picker"
"base64 encode your_text_here" (and "base64 decode encoded_string_here" as well)
"json formatter"

[–] MeowerMisfit817@lemmy.world 1 points 7 hours ago (1 children)

yeah

now tell me why are people hating it and putting codes on the comments

[–] tuckerm@feddit.online 1 points 6 hours ago (1 children)

I think a lot of people turned against DDG when they started pushing their AI generated results really hard. Seems like DDG is going all in on AI. I have started paying for Waterfox's search engine myself, after using DDG exclusively for years.

[–] catarina@lemmy.dbzer0.com 1 points 6 hours ago (1 children)

They still offer an alternative on their noai subdomain

[–] tuckerm@feddit.online 1 points 1 hour ago

Oh nice, that's good to know about.

I also just remembered that there's html.duckduckgo.com as well, which also seems to leave out any AI features.

[–] wetnoodle@lemmy.blahaj.zone 28 points 1 day ago (5 children)

my favorite is "qr code" best and easiest qr code generator

[–] denhafiz_@lemmy.world 5 points 15 hours ago

I like this as most qr generator websites make a link shortener kind of thing and put ads before my content.

[–] ChaoticNeutralCzech@feddit.org 1 points 11 hours ago* (last edited 7 hours ago)

You can type "qr url" and have it done in one step. However, unlike your two-step process that most likely just fetches results for the common "qr code" query from cache, this loads their servers unnecessarily. The same can be achieved in Firefox by bookmarking "https://qr.15c.me/tiny-qr.html#%s" (or a local copy of tiny-qr.html) and settting its keyword (not to be confused with tags) to "qr".

load more comments (3 replies)

load more comments (2 replies)

[–] 13igTyme@piefed.social 50 points 1 day ago* (last edited 1 day ago) (17 children)

If you're going to auto generate passwords, just use BitWarden.

[–] Cethin@lemmy.zip 4 points 17 hours ago

I use KeePass. It's just a local file (which you can sync/host how you see fit if you need to). I don't understand why people choose to use password managers hosted by other people. You almost certainly don't need that, and it introduces issues and vulnerabilities with little upside.

load more comments (16 replies)

load more comments