Hoshino Lina (ζ˜ŸδΉƒγƒͺγƒŠ) 🩡 3D Yuri Wedding 2026!!!May 28

OMG. Apparently tons of people have been generating secrets on an old server-side key generation website that had incredibly weak entropy. Like, 10 bits or something.

The website was allkeysgenerator[.]com. Here is a dump of 1000 keys generated on it. Searching for the URL finds hundreds of people recommending it for key generation.

Some of these snippets have hundreds of GitHub results.

The exact algorithm is unknown but (see below) It generates extremely predictable strings, you can visually see how the delta from character to character is almost constant. Thanks @dramforever for doing some analysis here. Their script here can generate the vast majority of sequences from this website.

Update: This script generates the entire list from a single seed, and large chunks of another.

I'm certain you can break into production websites using these keys for cookie signing etc.

Show threadRachel RawlingsMay 28

@lina @dramforever Eeeeek.

(Deleted reference to DDG's implementation of pwgen)

Show threadHoshino Lina (ζ˜ŸδΉƒγƒͺγƒŠ) 🩡 3D Yuri Wedding 2026!!!May 28

@linuxandyarn @dramforever

...what. Why would you trust duckduckgo with server-side password generation?!

Show threadRachel RawlingsMay 28

@lina @dramforever Maybe I'm not sure why you're putting server-side in bold. I'm talking about creating unique passwords for random sites, and I expect DDG to have more entropy than the one you mentioned.

Generating locally with `pwgen -sy` is best, but if someone does need an online generator, then yes, I'd trust DDG more than most.

Show threadBrian Campbell

@linuxandyarn @lina @dramforever The more people a secret is shared with, the less secret it is.

A DDG based password generator is at least shared with DDG.

It's also done via some kind of pugin system they have? It says:

This Instant Answer was made by the DuckDuckHack Community.
Developer: cinlloc
Developer: mintsoft

But this DuckDuckHack program was shut down nearly a decade ago.

Was this particular plugin system developed for secure generation? Or are they logging every one of the "answers" produced by it somewhere? What happens if those logs are compromised, or law enforcement does an overly broad request for information that pulls all of these logs?

And since this whole DuckDuckHack instant answers submission system seems to have shut down, there aren't any docs available online for it any more, you have to dig through the internet archives to even find docs on how it worked. Is any of this even maintained?

May 28 at 3:36pmWeb
Show threadRachel RawlingsMay 28
@unlambda @lina @dramforever Ok, fair.
Show threadHoshino Lina (ζ˜ŸδΉƒγƒͺγƒŠ) 🩡 3D Yuri Wedding 2026!!!May 28

@linuxandyarn @unlambda @dramforever More importantly, there are a zillion password generator websites that generate the password *locally* in JS, which makes them infinitely more trustable than what DDG is doing.

I would go as far as saying that DDG feature is appalling, and should not exist as implemented. It makes me want to stop using it as my default search engine. No responsible website should ever even attempt to implement a password generator like that. That's exactly what brought us to the mess I mentioned in OP.

Show threadHoshino Lina (ζ˜ŸδΉƒγƒͺγƒŠ) 🩡 3D Yuri Wedding 2026!!!May 28

@linuxandyarn @unlambda @dramforever Without doing a full audit, the top 5 results on DDG for "password generator" look local, judging by latency (checking on phone, too lazy to pull up DevTools on a PC and check properly).

It really is irresponsible to implement a password generator site in any other way.

Show threadBrian CampbellMay 28

@lina @linuxandyarn @dramforever I think I found the source for the DDG password generator here: https://github.com/duckduckgo/zeroclickinfo-goodies/blob/master/lib/DDG/Goodie/Password.pm

Most of these instant answers on DDG seem to be contributed via this (now shut down) open source program.

The password generation itself is... OK. It uses the slightly biased modulo for randomly picking characters, but I checked and so does `pwgen`; for generating passwords where you're not trying to optimize for things like readability/easiness to type and not strictly controlling the entropy, that's not terrible. It does use urandom for its entropy source which is likely the best option.

But yeah, just doing this server side is a terrible idea. It could be logged, it could be cached. It doesn't appear that it's cached, it gives me a new one every time, but who's to say they won't at some point say "these instant answers are taking up too much CPU, let's add a cache in front of them" and then a bunch of people get the same password.

zeroclickinfo-goodies/lib/DDG/Goodie/Password.pm at master Β· duckduckgo/zeroclickinfo-goodies

DuckDuckGo Instant Answers based on Perl & JavaScript - duckduckgo/zeroclickinfo-goodies

GitHub
Show threadprincess pancake β€‹May 28
@lina @linuxandyarn @unlambda @dramforever ironically enough it's probably generated on some Azure server or whatever