Do you trust them? How much?

Thread Starter

atferrari

Joined Jan 6, 2004
4,476
These are concrete questions, not a rant in disguise.

a) Sites as duduckgo.com say they are not tracking their users. How mere mortals, not conversant on the innards of the Web (my case), could confirm that?

b) Virtual keyboards offered for home banking, couldn't be reverse engineered for an on-the-fly decoding?

c) Hardware versus virtual keyboards? What do you think?

d) Sites offering to verify how good/strong your passwords are, aren't they plain collecting points of passwords from candid users?
 

jpanhalt

Joined Jan 18, 2008
11,088
I probably know the innards of the web less than you do. Here are some things I do:

For (a): Clean and turn off cookies for a site (relatively easy to do with Chrome). See how the site responds. Not infallible, but a hint.

For (d): I use a "call back" system and never give a password or "sign in" without exiting, doing an independent search for the real url, reconnecting, and maybe signing in. Just last week, I was doing some browsing for a high frame rate camera, and several times, I got a message page that said I needed to sign in to Chrome to continue. It looked very official. I would rather live without that little nugget of information than sign in from a prompt like that. So, I exited. As it was, I got the information I needed without signing in to anything.

As for (b) not much advice. I avoid online banking unless I am simply checking a deposit or total. Telephone calls are probably more secure, and my bankers know me. I do online trades, but presumably my broker's site is secure. Never had any issue with them. I am anxious to hear more information on (a).
 

ArakelTheDragon

Joined Nov 18, 2016
1,353
These are concrete questions, not a rant in disguise.

a) Sites as duduckgo.com say they are not tracking their users. How mere mortals, not conversant on the innards of the Web (my case), could confirm that?

b) Virtual keyboards offered for home banking, couldn't be reverse engineered for an on-the-fly decoding?

c) Hardware versus virtual keyboards? What do you think?

d) Sites offering to verify how good/strong your passwords are, aren't they plain collecting points of passwords from candid users?
Sometimes it is hard to say of they are really doing it, but they certainly can!

Every idiot became a boss/manager/reporter/doctor, because these professions do not require thinking, all you need to do is say! Like the idiots who invented the shredder, and they were saying and saying and selling to the other idiots in companies until someone finally showed that the shredder does nothing and it is completely worthless.

If the idiots are not doing it, they will do it, it is only a matter of time!
 

xox

Joined Sep 8, 2017
609
These are concrete questions, not a rant in disguise.

a) Sites as duduckgo.com say they are not tracking their users. How mere mortals, not conversant on the innards of the Web (my case), could confirm that?

b) Virtual keyboards offered for home banking, couldn't be reverse engineered for an on-the-fly decoding?

c) Hardware versus virtual keyboards? What do you think?

d) Sites offering to verify how good/strong your passwords are, aren't they plain collecting points of passwords from candid users?
a) Impossible to confirm because their code is proprietary (some of it's up on Github but the important bits are still closed-source).

b) If you mean reverse-engineered for the purpose of identifying and exploiting potential vectors of attack, then theoretically yes.

c) From a practical standpoint at least virtual keyboards are probably easier to secure than physical ones. Hardware virtualization strategies and such can help to close that gap however.

d) Possible, but of course that's just another good reason why you should never use human-generated passwords. All of the ones I use are generally 20-30 characters long and programatically-generated. That averages out to something in the ballpark of 10^40 possible permutations; even if someone were able to test a thousand strings per second it would still take billions and billions of years to run through the entire state space! My actual password, which has remained unchanged for several years now, is exactly 13 characters in length (only the hash salt provided to my password generator is different, and that's typically just the name of the root domain of the website itself).

So for example:

HASH("FrogLemonBoots", "allaboutcircuits.com") = ff43ad4cfcca189ad57e16000f6ee8
HASH("FrogLemonBoots", "allacoutcircuits.com") = 76baef1887e79079aaa09ee36c4ff6

In other words, only a single bit of difference in the salt results in two very different "public" passwords.
 
Last edited:

ArakelTheDragon

Joined Nov 18, 2016
1,353
Hardware keyboards can be made 99% secure, but it will take non-idiots behind the scenes, who do not say and thik, only the things that have been made until now, but they can think and do what's needed.
 
Top