You wouldn't believe how many "engineers" I've seen open up random.org's string generator, and fiddle with the settings + copy a string from it only to drop it into a terminal for a root password/etc.
Point-in-case, I saw 2-3 "DevOps" engineers do it in my last position... over a screen share..! When you'd bring it up to people they would just roll their eyes and call you paranoid. =(
Do you believe "trying various snippets from random.org history" to be a viable oracle for guessing passwords? Because honestly that does sound a bit paranoid.
I guess I don't understand your statement as an actual real-world vector would look quite different than that. I may not understand what you're suggesting.
Visiting a webpage and copy-pasting a string off of it is not a very good practice for security because you're adding on a lot of parties to trust with that secret!
Effectively you want to minimize ANY place that your secret exist in plaintext, and trusting a webpage with this is just not a good idea.
It absolutely is paranoia. No point calling it anything else.
I imagine owning random.org, and not being very mean but a little clever. I know how many people come here for a quick clip; more importantly I know you come here. I rotate the same blob. I know all the pieces to brute force your infrastructure. Maybe you’ll use the wrong setting and something will be public that shouldn’t be. Hello.
On top of that, I find taking a shell and running `pwgen 24` much easier and faster. It even generates a couple of passwords if need a few. And can be piped into things like ssh sessions for automation.
And yes, our recommended way is to have the secret management automatically generate the password. That way, not even your workstation touches it.
IMO - high, but let me explain... We were also under regulation. Annnnd we also had a giant target painted on our back at all times due to information that would be of immediate use to an attacker.
It all comes down to chain of trust. When it comes down to a root password, or any secret that's business-critical you want to minimize ANY sort of risk and that's just the right way to do business.
When I point my scraper at random.org I can see it talks to "ocsp.digicert.com", "ajax.googleapis.com", "ssl.google-analytics.com", and obv. "random.org" (wow that's actually pretty good =P)... those are now three separate entities that now need trust because they all have the opportunity to see what was rendered on that page in plaintext, they have the opportunity to see what you selected, etc.
Then add to that, any browser plugin, the browser itself, etc etc. Then the "in plaintext over screenshare" issue - and you've got a lot of points where something, or someone could MiTM a plaintext password if they wanted/needed.
Generating a random password/secret by visiting a public site on the internet is stupid/silly with regards to actual security, and opens yourself to attack vectors _for no real reason_. There are a TON of VERY QUICK/EASY ways to generate a very secure string for secret management that don't involve trusting a ton of third parties =|
In a "security culture conscious" SF tech company there should be no place for laziness/lack of care like that. IMO - dumb compromises like that are how you get caught with your pants down leaking a ton of PII.
Devops usually means "it's faster and cheaper because we don't have a dedicated sysadmin". The union of good developers and good syadmins is narrow like that of developers and designers.
Maybe true of junior devops that has never done any sysadmin or much programming outside of school. Theres always people who are skilled at their job in whatever field.
Yeah - careful with that generalization though... talent is more a person-to-person and organization-to-organization thing and not a specific title IMO
There’s a strong assertion that it’s a bad idea, but no actual reasons given. The link doesn’t address it. So I asked the question.
So far the answers have been downvotes and evasive questions, so I’m leaning toward the idea I stepped into some kind of ideological thing. That’s fine, I don’t really care so I withdraw the question.
It is mostly ideology. But using something like random.org does raise your risk profile.
Random.org or any of their partners or your browser or the connection between you and random.org could all potentially be compromised.
If someone knows that you always generate your random salts with that site, they could potentially use past generated strings to reverse engineer your crypto.
Of course, very few password generators are only going to use the random seed you gave it. You would also need to know possibly the exact microtime and a ton of other variables to be able to "replay" the same scenario and generate a copy of the key.
The strength of your crypto is based on how unpredictably random the data you provide it is.
Assuming random.org is not the only source of random that your application used, it's probably fine.
If not, and reusing that same random string will produce the same output, it is quite dangerous. Especially if you are screen sharing. Someone tied to the project could easily figure out the output by copying the random string from the video.
I think it’s a good question! For me personally I feel that urandom is the right thing to do. Perhaps I’m overly cautious but I don’t think it’s prudent to include an external dependency when there is a good local alternative included in most systems. urandom is very solid. If one’s network connection goes down or random.org goes down, one can still generate randomness without problems.
https://sockpuppet.org/blog/2014/02/25/safely-generate-rando...