Interesting approach, I must say. I hope she gets more interested in cryptography and start programming ; Or open a cryptography multi-billionaire company.
Whoever bought password from others is pure stupid. There are tons of free, open source random password generators out there.
I bet a statistically significant number of buyers bought as encouragement to the 11yo's entrepreneurial actions. And won't use the pw of course.
I think the 11 year old is being used as a nice clickbait, it sure sounds better than a 30-year old selling passwords. I would have supported if she was trying to educate people, but passwords are something that should be only known by the user, selling a password a no-no in my idea. And is it really hard for someone to open the mail and then seal it? If someone wants to have diceware passwords, it's pretty easy: 1. Go to https://grempe.github.io/diceware/ or https://entima.net/diceware/ 2. Disable your internet for a minute if you are paranoid 3. Generate and copy the passwords 4. Close the website and enable your internet.
I just got back from the local shops. While there, I heard a newborn baby uttering cryptographically secure pass phrases.
Those were the good old days. Now a days you need a license to sell apples and oranges no matter how old you are. I wonder if the 11 year old has a license?
If you want really secure passwords, do not generate them on a computer and certainly not on an online service. Rolling physical dice in a darkened room with no technology and a running tap is the way to go.
Yes, that would make really secure passwords, if you are let's say a target of 3 letter agencies. Too bad that first keylogger (or some other method of extraction) will send it to 3rd party...
Not all passwords are on systems that can be (easily) keylogged and exfiltrated (e..g airgapped systems for keygen and password and certificate management). And the password can also be backed with TFA (e.g. Keypass, Lastpass etc doing the bulk online password generation), windows and linux accounts etc. And some websites (gasp) - even support TFA. Not nearly enough... Then, have hierarchies for the use & distribution of passwords, limiting exposure of compromise. Quite agree that if you're TLA targeted, you're toast in so many ways, but I'm not sure that would be the worst of my concerns at that point, I'm vulnerable to wrenches! But, in a way, that's what I accept as a citizen, that they would have to pay me personal attention (which costs money), rather than the mass surveillance and hoovering approach.
Yes I agree with you. Because you've mentioned running tap while creating passwords I thought that user is targeted by TLA. In case of such situation password would be safe only until first time used.