[aarreedd]

This isn't a great site or anything and you're right that password should be generated client-side. But not everyone is one Linux or Mac and sometimes it's just easier to Google "password generator" than remembering that command.

Your comment reminds me of the infamous Dropbox comment: https://news.ycombinator.com/item?id=9224

[TheDong]

There are plenty of actually secure and usable password generators, such as the one integrated with keepass / 1password / etc.

I'm sure there are secure websites to do it too. This isn't it though.

The dropbox comment isn't relevant. It's a bias to say "I remember this thing was criticized in a similar way but succeeded" and map that on to "so other criticisms aren't valid".

It's far more often than things seem unlikely to succeed to critics, and then quietly fail than that things seem unlikely to succeed to critics, but then succeed. After all, almost everything ever made doesn't see widespread success.

Our brain does remember the latter cases more, and that leads to the bias.

I see it most commonly with the phrase "X started out small too" as a defence for why something small will grow to something big, when in reality that's cherry picking massively.

[oefrha]

> there are secure websites to do it too.

Such websites have to be audited every single time you use it. Even if I only have a web browser and nothing else I would combine random.org and diceware.com instead of trusting some website.

[pvg]

Password managers and browsers themselves can generate passwords. Generating passwords with a website it a terrible idea, googling "password generator" and going to some random website is an even worse variant of the same idea.

[pabletec]

this is not a random website, this is "the browxy" site

[TheDong]

I find it bizarre that you have exactly 3 comments in 5 years, all of which are on dbremmen's posts, who happens to be the creator of browxy [0].

Forgive me if I don't trust my password generation on the servers of someone who is either sock-puppeting, or having a friend do something that does not look all that different.

Even if I trust the person who runs the browxy website and servers, I don't trust my password generation to a multi-tenet environment. Browxy is running this code in docker containers on a machine with many other docker containers running arbitrary user-submitted code. The intel vulnerabilities over the past year or so have made it incredibly clear that running sensitive code on the same CPU as totally untrusted and possibly malicious code is a dangerous proposition and there are numerous potential side channels to exfiltrate data.

Trusting password generation to a website that generates passwords on a shared machine is even worse than the usual password generation website which at least uses javascript/securerandom to do it on my CPU.

[0]: https://news.ycombinator.com/item?id=11719439

[oefrha]

If you look at submissions of these two accounts it’s even worse.

[dbremmen]

Yes you right I just created this password generator for fun in the browxy online compiler. The UI is auto-generated with a tool that the site provide. I'm just curious why this tool caused so many interest and wondering what other tools can be built that cause this type of interest...