The additional features this tool brings (port enumeration, list usb devices, system info), makes me thing the tool was not designed for good/ethical reasons, but to ease the life of infostealers that are usually distributed via Discord.
Say you're building a feature for a password manager to import passwords from firefox. You'd want the the firefox decryption functions to be available as library.
Or say you're building a tool to extract data from broken hard drives, partially recovered filesystems, etc. Again, you'd want to have this available as a library so you can import the functions you need and use them in your own tooling.
Normally you'd expect this package to primarily export a lib with a "cli" subfolder that provides a sample CLI tool that imports the lib.
The fact that this tool requires libusb which is solely needed for the useless list usb devices functionality is extremely sketchy. It makes using this tool legitimately harder and only helps attackers.
In the grown up world where people can hold a respectful discussion, there's a difference between being able to use stock code in your malware and distributing ready-to-be-used code.
You are aware that satellite guided surface to air missile systems are not a mere git clone away? There are good reasons for controlling weapons, while still letting everybody be free to study them.
What's the idea behind a satellite guided surface to air missile system? The ground station detects the target with radar, derives a set of GPS coordinates for an intercept, transmits those coordinates to the missile, and the missile guides itself to them via GPS receiver? Seems suboptimal.
There are a large number of similar projects out there.
I implemented login credential extraction for both Chrom* and FF-based browsers in the somewhat shambolic but generally-useful `browser_cookie3` Python module last year:
Love the brutal honesty! Even as a macOS user I admit that it's difficult to justify learning the Apple-proprietary tech needed to port apps to it (and automated testing is indeed a nightmare). Curious as to your thoughts on Android?
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
Chrome uses it too. However the CDP protocol allows any local app to control the browser so you can use that to open the browser in windowless mode, examine the list of passwords at chrome://passwords, then open a bunch of tabs to all of those sites and extract the passwords from the HTML forms they get auto-inserted into.
Each keychain item on macOS has an access control list associated with it that lists the applications that are granted access to the keychain item. If an application not on the ACL attempts to access a keychain item, macOS prompts the user for authorization. The ACL entries identify applications based on properties of their code signature and so are not spoofable.
Correct. The best part of this system (Keychain Access) is that it has been around for more than 20 years. Only this year it got a UX makeover.
One interesting thing I noticed is that Chrome and Firefox can also seamlessly see and use Passkeys I stored in Safari even if normally they don't read the passwords from there.
Using each passkey however still requires a fingerprint every time.
Why is this surprising and why do you expect the situation with external password managers to be different? If you can decrypt it other software running on your computer can too.
A password manager integrated with the browser could be compromised by a vulnerability in the browser as well exploited by something running within the browser.
Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit will expose how to retrieve arbitrary information from the external tool.
And of course, the external tool can have plenty of exploitable leaks unrelated to whether or not it’s integrated to some browser.
If the goal is to have better security, no method of using password alone will bring significant improvement to an authentication system, no matter how great the password manager it’s used with.
> Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit…
Which is why my password manager has zero integration directly with the browser, or anything else for that matter. There is a tiny little bit of extra legwork caused by this⁰, but IMO it is a good compromise between convenience and easily available attack surface.
----
[0] and it might be susceptible to attacks that manage to listen to the OS message queue & clipboard where a browser integrated method would not be, but once something is that far into your system there isn't much that is going to help you except maybe an orbital nuke.
> Which is why my password manager has zero integration directly with the browser, or anything else for that matter
The ideal amount of integration is actually non-zero. Manually copy-pasting passwords makes you susceptible to URL phishing, unless you also consistently copy from the browser URL bar into your password manager.
Any tool can have leaks, but integration with an application that connects to large numbers of servers over the internet seems to be a huge increase in attack surface to me, compared to a password manager that is external to the browser.
What is your risk model? An attacker who can install cameras in your house to see your PIN/password? An attacker with a blunt object and the clear intent to harm you if you don't unlock your phone? Your spouse who you trust enough to loan your device to look at a cat pic?
My threat model is accidentally installing malware that reads the database of my passwords. I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.
>I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.
You can set a "primary password" for firefox's password manager, meaning that you first have to enter a password before you can access the stored passwords. That should provide equivalent security to using KeepassXC.
So malware which installs a key scanner to read everything you enter is outside of your threat model, as is external surveillance to record what you type.
Choose a password manager which you like. I like having a paper book with a dumb-ass encryption scheme, because my threat model is that I am not going to worry about physical attacks, and servers will detect attempts to brute-force the dumb-ass scheme by adding delays after the first few failures.
I use Firefox's manager for my Mastodon accounts, because no one cares for my 10 followers, and the instance manager can resolve things if needed.
Isn't your last paragraph part of the problem, though? To paraphrase, you use Firefox's password manager for things you don't care about. So, those simple passwords are tied to small accounts that, individually add up to nothing, but together start to build a little cache of your emails, throwaway passwords and other tiny bits of data that all get collated with other data scraped about you. This much larger data cache then gets sold and used I attacks like credential stuffing to access even more data, etc.
You're posture is assuming that if it doesn't matter to you, then it doesn't matter at all, and that simply is not true.
Surprising that someone care to invest so much effort in it unless it can unlock some institutional level threats to leverage on for some geo-political negotiation or at least plots between big companies. But impressive hack, not necessarily.
> little cache of your emails, throwaway passwords
I have five passwords in my Firefox manager. (More if I include the ones which are no longer valid, like a few ftp passwords, and passwords to routers I no longer use.)
I think I'm safe.
I avoid online services which require identity as much as I can, because yes, any data builds up. Which means, yes, I buy things in stores, not online, I use cash, not credit/debit/e-cash, and I don't use apps.
If you do use online services, apps, etc., then it sure feels like you are assuming that information leak doesn't matter to you, so it doesn't matter at all.
With 50 people or so people active on my instance, the change will be noticed quickly, the account suspended, and the owner will get a hold of me through other means.
Everything I post is with the knowledge it will be public, analyzed, regurgitated, and held against me in a court of law.
Every KeePass-based solution I've tried was far from ready for normal users. Because they need browser integration out of the box, and it has to be smooth. Even BitWarden is still too difficult to use.
I never found a way to lock the password manager in Firefox with its own password. They probably aren't bad, but they are also way behind on features and general usability, as compared to standalone password managers.
If you have passwords that are used outside the browser, putting them into the browsers password manager, getting them out feels a little cumbersome.
Related to the tool: Why not just click the export button in Firefox?
I would love to hear any suggestions for how to remove all my stored passwords in Firefox. I used to use Firefox password manager but moved to Bitwarden. It has been surprisingly difficult to remove passwords completely as I'm using Firefox Sync, and they just get restored from one of my devices.
If you glance at the code there's a single "key encryption key" in the whole SQLITE file (in the 'metadata' table). That key is decrypted using AES with the PBKDF2 derived secret.
Then each password is in turn encrypted using TripleDES. The "data encryption key" for each these records is in turn encrypted using the aforementioned "key encryption key".
My suspicion is that the TripleDES format must be really old, and when they migrated the crypto layer to use AES they just re-encrypted the top layer (the "key encryption key" later) to use AES. It's much faster (and safer) to just re-encrypt all the TripleDES keys with the new AES than go and mess with "all" the records in the database. It's inelegant and lazy but you effectively get "AES level" of security without having to do all the work, so to speak…
I don't know about the particular case of TripleDES+AES but I think in a general case you can't claim that A+B encryption is always at least as strong as B alone. The A part can result in e.g. first bytes of input being the same enabling a crib-type attack.
I'm not defending this choice, and I think you're right in general.
In this case, the only thing encrypted with TripleDES is the password itself, so the practicality of a crib or other known plaintext attacks is debatable in my opinion.
If you use the same (or similar) password everywhere, then you have bigger worries than Firefox use of TripleDES. Password stuffing based with leaks from poorly hashed password DB (cough facebook cough) is likely the most practical attack vector in this case.
If all your passwords are like q@qrG#Z4ARYm^qjeTEMN2Kh45v^p7L# then crib like attacks are impractical.
There are other weird/debatable choices in the Firefox encryption layer:
- Why bother with CBC? Things like AES-GCM or other authenticated* encryption mode would be nicer. Not sure it's a flaw here (google the cryptographic doom principle of Moxie Marlinspike)
- Why not wrap the encryption keys with some kind of "key wrap" mode instead. There are such things as AES-KV for instance.
- Why do the weird PBDKF2 derivation here? It's not based on a password the player enters, so there's nothing to "strengthen"? Seems oddly unnecessary (or I don't understand and there's a password somewhere).
- If there's a password then PBKDF2 is really really shit compared to scrypt or even better one the variant of argon OWASP said you should use.
> - Why do the weird PBDKF2 derivation here? It's not based on a password the player enters, so there's nothing to "strengthen"? Seems oddly unnecessary (or I don't understand and there's a password somewhere).
If you set a master password, firefox uses that master password instead as input to PBKDF2.
But honestly I’d stay away from PBDKF2 at this stage. If you look at OWASP they recommend 600k rounds. That number is getting bigger and bigger all the time (10k rounds used to be enough over a decade ago)
I would mostly say that it's just slow and AES is a much more modern and faster (partly due to hardware acceleration built into modern chips) that is already built info Firefox to support TLS anyways. There are some known attacks against 3DES now, but nothing that completely breaks it yet. And, since this is just for local storage, primarily, it shouldn't be as vulnerable as using 3DES for TLS channel encryption.
For a password manager, whether a cipher is fast or slow could mean something entirely different than for something that has to encrypt and decrypt large amounts of data. Cycles per byte is probably completely irrelevant here and I'd expect performance to basically be a function of how many cache misses (both data and code) are incurred to decrypt a single password.
Thanks, even tho the comment above signaled sarcasm, the explanation was helpful for me, as I really had no idea what 3DES means and why it could be problematic.
Create a search keyword for Wikipedia. Then you can type "wiki whatever" into your address bar and be taken right to Wikipedia without the google middleman.
I've been experimenting with Kagi for those reasons (amongst others) and finding it works well. Far from ideal for all as it isn't free after 100 queries, but it seems to be a workable solution to the problem for me for now.
Meh...not immune, just resistant. There's unfortunately a big difference. LLM slop is coming in at the corners, typically on articles that are less well-patrolled.
Is this some AI generated rubbish or actual code that works? If this is code that works, does setting a primary password protect against this decryptor?
NO ONE should trust a website delivering JS that could do who-knows what the next time they skip reading the code. Like, send the inputs to a third party.
Please delete this project and your comment.
If you want to be helpful, write native code that user can read, compile, and install, and persistently use without risk of backdoor-out-of-the blue.
Do you read your password manager's code every time it updates? Probably not, because you trust the author's reputation.
I wouldn't trust this page with my passwords either, but not because of the reasons that you mention. I haven't checked, but maybe it is simple enough to read the code in its entirety and then self-host? If so, nothing wrong with that.
It's hosted on GitHub Pages so you don't need to check if the code has changed. Just look for any commits. From what I can see, the last one was three months ago
The additional features this tool brings (port enumeration, list usb devices, system info), makes me thing the tool was not designed for good/ethical reasons, but to ease the life of infostealers that are usually distributed via Discord.
It's not even done well.
Say you're building a feature for a password manager to import passwords from firefox. You'd want the the firefox decryption functions to be available as library.
Or say you're building a tool to extract data from broken hard drives, partially recovered filesystems, etc. Again, you'd want to have this available as a library so you can import the functions you need and use them in your own tooling.
Normally you'd expect this package to primarily export a lib with a "cli" subfolder that provides a sample CLI tool that imports the lib.
The fact that this tool requires libusb which is solely needed for the useless list usb devices functionality is extremely sketchy. It makes using this tool legitimately harder and only helps attackers.
[flagged]
In the grown up world where people can hold a respectful discussion, there's a difference between being able to use stock code in your malware and distributing ready-to-be-used code.
You are aware that satellite guided surface to air missile systems are not a mere git clone away? There are good reasons for controlling weapons, while still letting everybody be free to study them.
No one is talking about a satellite guided surface to air missile system.
A weapon is a weapon.
We outlawed sticks because sticks can be used to press the red "do not press" button
Congratulations, we’ve mapped the space of possible harm from mild discomfort to death.
What's the idea behind a satellite guided surface to air missile system? The ground station detects the target with radar, derives a set of GPS coordinates for an intercept, transmits those coordinates to the missile, and the missile guides itself to them via GPS receiver? Seems suboptimal.
Something like that. It’s really only useful when you have to intercept at really long distances, as in ballistic missile defense.
Professionals can assemble their own tools. Why package it up all nice for the skiddies?
There are a large number of similar projects out there.
I implemented login credential extraction for both Chrom* and FF-based browsers in the somewhat shambolic but generally-useful `browser_cookie3` Python module last year:
https://github.com/borisbabic/browser_cookie3/compare/master...
> Safari listed as supported
Interesting, does this work on the latest releases? If so you might want to let this fellow know to adjust their threat model accordingly :)
https://news.ycombinator.com/item?id=41912226
My personal threat model for all Apple products is that I don't care about them at all: http://dlenski.github.io/macOS_nope.html
Love the brutal honesty! Even as a macOS user I admit that it's difficult to justify learning the Apple-proprietary tech needed to port apps to it (and automated testing is indeed a nightmare). Curious as to your thoughts on Android?
Is it even safe to use browser-integrated password managers? I think they're so much easier to use than external solutions such as KeepassXC, but if it's so easy to decrypt their databases...
Safari's absolutely. It uses a OS-wide keychain secured via hardware.
Chrome uses it too. However the CDP protocol allows any local app to control the browser so you can use that to open the browser in windowless mode, examine the list of passwords at chrome://passwords, then open a bunch of tabs to all of those sites and extract the passwords from the HTML forms they get auto-inserted into.
Does this prevent other software running on the same hardware from accessing the keychain?
E.g. on Windows, any program can access the entirety of the credential store for the current user.
Each keychain item on macOS has an access control list associated with it that lists the applications that are granted access to the keychain item. If an application not on the ACL attempts to access a keychain item, macOS prompts the user for authorization. The ACL entries identify applications based on properties of their code signature and so are not spoofable.
Correct. The best part of this system (Keychain Access) is that it has been around for more than 20 years. Only this year it got a UX makeover.
One interesting thing I noticed is that Chrome and Firefox can also seamlessly see and use Passkeys I stored in Safari even if normally they don't read the passwords from there.
Using each passkey however still requires a fingerprint every time.
Passkeys are a different story than the keychain more generally. Other browsers that work with passkeys via the system APIs had to jump through hoops and get Apple's approval to do so: https://developer.apple.com/documentation/bundleresources/en...
Why is this surprising and why do you expect the situation with external password managers to be different? If you can decrypt it other software running on your computer can too.
A password manager integrated with the browser could be compromised by a vulnerability in the browser as well exploited by something running within the browser.
Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit will expose how to retrieve arbitrary information from the external tool.
And of course, the external tool can have plenty of exploitable leaks unrelated to whether or not it’s integrated to some browser.
If the goal is to have better security, no method of using password alone will bring significant improvement to an authentication system, no matter how great the password manager it’s used with.
> Well, unless there is zero integration with the browser, then it’s just a matter of time before some exploit…
Which is why my password manager has zero integration directly with the browser, or anything else for that matter. There is a tiny little bit of extra legwork caused by this⁰, but IMO it is a good compromise between convenience and easily available attack surface.
----
[0] and it might be susceptible to attacks that manage to listen to the OS message queue & clipboard where a browser integrated method would not be, but once something is that far into your system there isn't much that is going to help you except maybe an orbital nuke.
> Which is why my password manager has zero integration directly with the browser, or anything else for that matter
The ideal amount of integration is actually non-zero. Manually copy-pasting passwords makes you susceptible to URL phishing, unless you also consistently copy from the browser URL bar into your password manager.
This is a much more likely attack scenario than browser zero days.
Any tool can have leaks, but integration with an application that connects to large numbers of servers over the internet seems to be a huge increase in attack surface to me, compared to a password manager that is external to the browser.
That depends on how it is designed.
Is Firefox's designed in a way that prevents that?
Given it can automatically insert passwords for a site, something in the browser can access passwords.
What is your risk model? An attacker who can install cameras in your house to see your PIN/password? An attacker with a blunt object and the clear intent to harm you if you don't unlock your phone? Your spouse who you trust enough to loan your device to look at a cat pic?
My threat model is accidentally installing malware that reads the database of my passwords. I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.
>I trust my KeepassXC database because I use a strong and long password, so even if malware can read my KeepassXC file, it won't be able to extract the passwords. I feel like Firefox is not as safe.
You can set a "primary password" for firefox's password manager, meaning that you first have to enter a password before you can access the stored passwords. That should provide equivalent security to using KeepassXC.
> You can set a "primary password" for firefox's password manager
Wow. I've been using Firefox for 18+ years and I've never knew about this feature! Thanks!
So malware which installs a key scanner to read everything you enter is outside of your threat model, as is external surveillance to record what you type.
Choose a password manager which you like. I like having a paper book with a dumb-ass encryption scheme, because my threat model is that I am not going to worry about physical attacks, and servers will detect attempts to brute-force the dumb-ass scheme by adding delays after the first few failures.
I use Firefox's manager for my Mastodon accounts, because no one cares for my 10 followers, and the instance manager can resolve things if needed.
Isn't your last paragraph part of the problem, though? To paraphrase, you use Firefox's password manager for things you don't care about. So, those simple passwords are tied to small accounts that, individually add up to nothing, but together start to build a little cache of your emails, throwaway passwords and other tiny bits of data that all get collated with other data scraped about you. This much larger data cache then gets sold and used I attacks like credential stuffing to access even more data, etc.
You're posture is assuming that if it doesn't matter to you, then it doesn't matter at all, and that simply is not true.
He stated the higher security model he uses; a paper book. As well as his threat model, which is pretty coherent and relevant in this modern age.
I'd love to see someone "hack" his book, it would be quite the impressive hack.
Surprising that someone care to invest so much effort in it unless it can unlock some institutional level threats to leverage on for some geo-political negotiation or at least plots between big companies. But impressive hack, not necessarily.
https://xkcd.com/538/
https://xkcd.com/2176/
> little cache of your emails, throwaway passwords
I have five passwords in my Firefox manager. (More if I include the ones which are no longer valid, like a few ftp passwords, and passwords to routers I no longer use.)
I think I'm safe.
I avoid online services which require identity as much as I can, because yes, any data builds up. Which means, yes, I buy things in stores, not online, I use cash, not credit/debit/e-cash, and I don't use apps.
If you do use online services, apps, etc., then it sure feels like you are assuming that information leak doesn't matter to you, so it doesn't matter at all.
Trust me, automated bot sending malware always care about your accounts.
With 50 people or so people active on my instance, the change will be noticed quickly, the account suspended, and the owner will get a hold of me through other means.
Everything I post is with the knowledge it will be public, analyzed, regurgitated, and held against me in a court of law.
Your malware would still need the password for the PBKDF step to decrypt the Firefox database
> risk model
Hah. Don't bother us with your mumbo-jumbo, we're doing computer security here.
I will take Kamchatka from Alaska, using my model cannon, my model horsemen and my three model soldiers.
Every KeePass-based solution I've tried was far from ready for normal users. Because they need browser integration out of the box, and it has to be smooth. Even BitWarden is still too difficult to use.
I never found a way to lock the password manager in Firefox with its own password. They probably aren't bad, but they are also way behind on features and general usability, as compared to standalone password managers.
If you have passwords that are used outside the browser, putting them into the browsers password manager, getting them out feels a little cumbersome.
Related to the tool: Why not just click the export button in Firefox?
Check "Use a Primary Password" in preferences.
reasonably certain this doesn't encrypt your cookies
which are in some cases better than your passwords (already passed 2FA, etc)
I would love to hear any suggestions for how to remove all my stored passwords in Firefox. I used to use Firefox password manager but moved to Bitwarden. It has been surprisingly difficult to remove passwords completely as I'm using Firefox Sync, and they just get restored from one of my devices.
You have to sign out of all devices and choose to delete the local data while you do so.
Another option is to delete your Mozilla account and recreate it, if you're not using it for anything other than Firefox Sync.
No Primary Password ?
Firefox is using TripleDES??
It uses both AES and TripleDES
If you glance at the code there's a single "key encryption key" in the whole SQLITE file (in the 'metadata' table). That key is decrypted using AES with the PBKDF2 derived secret.
Then each password is in turn encrypted using TripleDES. The "data encryption key" for each these records is in turn encrypted using the aforementioned "key encryption key".
My suspicion is that the TripleDES format must be really old, and when they migrated the crypto layer to use AES they just re-encrypted the top layer (the "key encryption key" later) to use AES. It's much faster (and safer) to just re-encrypt all the TripleDES keys with the new AES than go and mess with "all" the records in the database. It's inelegant and lazy but you effectively get "AES level" of security without having to do all the work, so to speak…
https://github.com/Sohimaster/Firefox-Passwords-Decryptor/bl...
I don't know about the particular case of TripleDES+AES but I think in a general case you can't claim that A+B encryption is always at least as strong as B alone. The A part can result in e.g. first bytes of input being the same enabling a crib-type attack.
I'm not defending this choice, and I think you're right in general.
In this case, the only thing encrypted with TripleDES is the password itself, so the practicality of a crib or other known plaintext attacks is debatable in my opinion.
If you use the same (or similar) password everywhere, then you have bigger worries than Firefox use of TripleDES. Password stuffing based with leaks from poorly hashed password DB (cough facebook cough) is likely the most practical attack vector in this case.
If all your passwords are like q@qrG#Z4ARYm^qjeTEMN2Kh45v^p7L# then crib like attacks are impractical.
There are other weird/debatable choices in the Firefox encryption layer:
- Why bother with CBC? Things like AES-GCM or other authenticated* encryption mode would be nicer. Not sure it's a flaw here (google the cryptographic doom principle of Moxie Marlinspike)
- Why not wrap the encryption keys with some kind of "key wrap" mode instead. There are such things as AES-KV for instance.
- Why do the weird PBDKF2 derivation here? It's not based on a password the player enters, so there's nothing to "strengthen"? Seems oddly unnecessary (or I don't understand and there's a password somewhere).
- If there's a password then PBKDF2 is really really shit compared to scrypt or even better one the variant of argon OWASP said you should use.
> - Why do the weird PBDKF2 derivation here? It's not based on a password the player enters, so there's nothing to "strengthen"? Seems oddly unnecessary (or I don't understand and there's a password somewhere).
If you set a master password, firefox uses that master password instead as input to PBKDF2.
Ab yeah. In that case it makes perfect sense.
But honestly I’d stay away from PBDKF2 at this stage. If you look at OWASP they recommend 600k rounds. That number is getting bigger and bigger all the time (10k rounds used to be enough over a decade ago)
https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...
I would use Argon or scrypt (which is basically PBKDF2 in a loop with some weird mixes) instead.
The README is surely LLM slop.
What…?
https://en.wikipedia.org/wiki/Slop_(artificial_intelligence)
I’m familiar with _the term_ and the phenomenon, but I am incredulous at the evidence-free claim that the project’s README is AI slop.
> Firefox is using TripleDES??
What's wrong with it ? /s
I would mostly say that it's just slow and AES is a much more modern and faster (partly due to hardware acceleration built into modern chips) that is already built info Firefox to support TLS anyways. There are some known attacks against 3DES now, but nothing that completely breaks it yet. And, since this is just for local storage, primarily, it shouldn't be as vulnerable as using 3DES for TLS channel encryption.
For a password manager, whether a cipher is fast or slow could mean something entirely different than for something that has to encrypt and decrypt large amounts of data. Cycles per byte is probably completely irrelevant here and I'd expect performance to basically be a function of how many cache misses (both data and code) are incurred to decrypt a single password.
Thanks, even tho the comment above signaled sarcasm, the explanation was helpful for me, as I really had no idea what 3DES means and why it could be problematic.
I shudder to think that even a simple Google query leading to a Wikipedia article was too much effort here...
https://en.wikipedia.org/wiki/Triple_DES
Any "simple" Google query now means pages of nonsense answers, promoted sites, AI "help", before you even get to a cogent result.
Much better to just talk to others than use Google.
When I google „TripleDES“, the first result is a box showing the Wikipedia article on Triple DES. Click on that and you’re done.
Create a search keyword for Wikipedia. Then you can type "wiki whatever" into your address bar and be taken right to Wikipedia without the google middleman.
> promoted sites, AI "help"
I've been experimenting with Kagi for those reasons (amongst others) and finding it works well. Far from ideal for all as it isn't free after 100 queries, but it seems to be a workable solution to the problem for me for now.
Agree with the sentiment, but that's a Wikipedia link. Wikipedia is (as of yet) immune to LLM slop
Meh...not immune, just resistant. There's unfortunately a big difference. LLM slop is coming in at the corners, typically on articles that are less well-patrolled.
Reddit, got it.
and Google and quora are in cahoots, right?
The problem wasn't that a google search was to much effort, I just happened to be in the comments and saw this right with an explanation below it.
I actually read up on it quite a bit afterwards.
Feels very unwarranted to just assume laziness into a simple thank you for information spreading.
Is this some AI generated rubbish or actual code that works? If this is code that works, does setting a primary password protect against this decryptor?
does Chrome doing this better?
https://security.googleblog.com/2024/07/improving-security-o... talks a little about improvements Chrome has made on Windows to make it harder for malicious software to access the encryption key used to encrypt cookies and passwords on disk.
You still need access to the key to decrypt it regardless of the browser.
Is this some AI generated bullshit?
[flagged]
NO ONE should trust a website delivering JS that could do who-knows what the next time they skip reading the code. Like, send the inputs to a third party.
Please delete this project and your comment.
If you want to be helpful, write native code that user can read, compile, and install, and persistently use without risk of backdoor-out-of-the blue.
Do you read your password manager's code every time it updates? Probably not, because you trust the author's reputation.
I wouldn't trust this page with my passwords either, but not because of the reasons that you mention. I haven't checked, but maybe it is simple enough to read the code in its entirety and then self-host? If so, nothing wrong with that.
Very rude comment imho.
Do 1password/lastpass extensions not include remote code/resources? Of course they do.
1. You can fork this repository and do whatever you want with it (e.g., self-host). The license is public domain.
2. If you save this page to your disk, everything will still work offline.
It's hosted on GitHub Pages so you don't need to check if the code has changed. Just look for any commits. From what I can see, the last one was three months ago
I forge git commits now and then so I know this but maybe it is not common knowledge. Git commits can be forged.
Content and dates can be changed.
That assumes that the code was honorable in the first place. I think you have to assume that this was not posted by someone with honorable intentions.
I like this, but it needs to be an offline cli before I would use it :)
It's a cool idea, all you need to remember is the service and the master password.
But you need to make it easy to run on a local computer to convince the die hards. ;)
idk why this got downvoted.
You created something cool and it pays tribute to a loved one.
Awesome.