Secure Passwords and Usernames for the Dark Web (or Anywhere)

by Ciphas


DISCLAIMER: I have not used any of the “passwords” in this post as real passwords. So go ahead and try them all you want!

An acquaintance contacted me recently, and was asking about how to use darknet markets. One of the things I had advised this person to do was to make sure that they used a secure passphrase and/or username.

This is just good internet advice in general, but I would say that it goes double for the dark web.

One of my earliest posts on this blog was entitled Dark Web: Fake Words and Secret Codes. In it, I had suggested the diceware method for generating strong passwords – and I still do, actually!


Just to review: the way this is accomplished is that you roll a die (or pair of dice), and each 5-number set represents a word, number, or group of letters taken from a long word list.

They might look like this:

52121 ron

43453 noel

11243 acidic

53223 sequel

36514 llll

You then combine those words or numbers together, and that’s your password. Some people add periods or dashes in between the words, too. So, the final result would be “ron.noel.acidic.sequel.llll.”

For full details on how the diceware method works, see Diceware Passphrase Home.

This method, however, can be time-consuming. And the longer your password (or “passphrase”) is, the greater the chances are that you’ll make a mistake when typing it.

Throw Away the Dice??

My friend Arne Babenhauserheide, who is a programmer, came up with an alternate method of generating secure passwords, which he shared on his blog, Zwillingssterns Weltenwald.

The post in question is entitled Create secure passwords, usable on US and German keyboards.

Arne goes into detail about what denotes a strong password –

“Use blocks of four letters, chosen at random from a set of safely recognizable characters which are in the same position on German and US keyboards. Delimit blocks by a delimiter chosen at random from another set of characters.”

There’s a Javascript version of the password generator on the post itself, as well as code for it in Javascript, Python, and Wisp. You can read the full post if you want to find out more, but I also thought I’d show you some of the passwords that the generator came up with.


For a 12-character password: m3M4+v0Tg+ENHS

15 characters: QXL3+GWbh!vUqP.6d3

20 characters: VMCt!u6sF+Mxc5/fSwe/g7Vm

50 characters: MMWW.ruR3+vejH-7s6a.BiQi,89R5-51oq-FsFT,RK1M,HWmG*wvuj,D1om.9g

Well OK, 50 is probably overkill. One thing to point out – though you can use the password generator online, it’s much safer to download the web page and do it offline. I tried it – it works just fine!

There are a number of other sites that have a similar feature, but with any of these, I would recommend the same thing – download the page and generate the password offline.

Even if you don’t want to use these for your passwords, they can be fun to try out:

Strong Random Password Generator


XKPasswd – Secure Memorable Passwords



GRC – Ultra High Security Password Generator


Create Safe & Secure Passwords


I confess that I don’t know which of these “generators” are the most or least secure, but if you come up with a passphrase that works for you, then more power to you.

That’s Utter Nonsense!!!!

Oh, I almost forgot – the username part! It’s up to you, but if you want a more pseudo-random username, I like to use nonsense word generators (which I also mentioned in the earlier blog post).

I used to use the one on, but it seems to be having errors a lot lately.

There are quite a few more of these as well, some of which I’ll share:

Fake Word Generator For Great Made-Up Words!


Unique Word Generator



Nonsense Word Generator


Generate a list of random words


Obviously, you don’t have to do this, but it can be fun, and can also take the effort out of the whole, “What do I pick for a username?”

Here’s a random (or pseudo-random) result:

Username –

  • zo¥ᄀtomic


  • ET5h*XHd1*CUus.E6W

And there you go. Have fun, kids!

Oh, and you might want to use a VPN too.





Adventures in Coding, 1 . 0!


I admit this up front – I’m not a hacker.  That said, I never claimed to be one…the people that get all the flack are the ones who call themselves “hackers” and don’t know shit.

Some would probably say, “Then what the hell are you doing on the dark web?”  I think of that as part of my education (negative experiences included).

Notwithstanding, it may or may not surprise you that I’m in the process of learning to code (or as I called it when I was a kid, “programming”).  At that time (around age 12) I was learning BASIC, which seems outdated now, but was a great introduction to the concept of coding.  As a matter of fact, in some ways, it was more difficult than the coding I’m learning at the moment.



Back then, there weren’t any little “error notifications” telling you that you had written invalid code until you actually ran the program.  And sometimes, even then, the error messages weren’t all that helpful. This is one of the games that was included with the QBASIC, called Gorillas. Real Xbox One stuff, huh?


OK, it may not look that impressive, but now that I’m working with code again, those early lessons are coming back to me.  Despite the fact that all coding languages have differences, they do have some things in common.  I have fond memories of a text-based RPG game I created back then, in which you would fight against different opponents using a list of spells, like “fire,” “ice,” and “earth.”  The outcome was decided by some kind of random number generator.

When the fight actually took place, two stick figures would shoot the “spells” at each other (which were basically just colored circles).  It looked a lot like this:


Hey, if we had never had ATARI or Odyssey, we wouldn’t have Xbox and PS4 now, right?  As I’m sure my hacker and coder friends know, you do have to start somewhere; you weren’t born knowing how to code.

Coding Once More!!

Currently, I’m using several self-directed learning platforms, including freeCodeCampCodePen, and Codewars.  Through freeCodeCamp, in particular, I’ve learned a lot more HTML5, CSS3, jQuery, Bootstrap, and Javascript than I had ever known before.

freeCodeCamp makes the process of learning fun and informative, and while I occasionally get stuck (as most coders do at some point), it’s those moments that make it all the more satisfying when you figure them out.

One of the Javascript lessons, for example, had you create a simple “mad libs” type game called Word Blanks:


As simple as it may look, it took a while to get the code exactly right, so it was extremely satisfying when it worked properly (which is like a small orgasm for a coder).

I’ve only just begun on some of these other learning platforms, but CodePen is more like a coding portfolio site.  When you create an original program of some sort, you can save the code on there.

Codewars, on the other hand, is a collective coding platform where the authors learn various techniques from each other.  That one I’ve literally just started using, and I haven’t advanced all that far yet.

Given that I not only like coding, but also cheesy martial arts movies from the ’70s and martial arts in general, it’s the perfect crossover of the two!!


 For the people who are accustomed to sites like freeCodeCamp, however, Codewars may seem a bit more advanced.  On the former, especially on the earlier challenges, some of the code is done for you.

This is sometimes the case on Codewars, but other times you’ll have to do the entire function from scratch.  There’s a lot of variation.

Anyhow, all this is to say that while it has its frustrations, the process of learning to code is very amazing, and overall, it’s a great method of learning to think in a more abstract way.

As for how this relates to the dark web, I’ll say this: it’s much less intimidating if you know your coding, although people there tend to be on the much more advanced side.

So…watch your back, readers.




Privacy Tools: Ghostery vs. Adblock Plus


How many times have you heard this line?  “They’re watching you…” (A lot, I would imagine.)

Unfortunately, I’ve begun to realize that it’s true (at least with regard to the web).  Even when using the Tor network, which was created with privacy in mind, you’re still under surveillance, which is why some people have stopped using it altogether. (Although that hasn’t stopped me, the intrepid writer.)

Nonetheless, when you’re on the clearnet, there are some tools and plugins that can enhance your privacy (if not ensure it 100% of the time).

In a previous post, If We Built This Large Wooden Privacy Badger…, I discussed the plugin Privacy Badger, created by the Electronic Frontier Foundation (EFF).  For the most part, I’ve had a very positive experience with said Badger – he’s not a friend of trackers, trust me:


So, I thought it reasonable to compare some of the other popular privacy tools with Privacy Badger, to see which worked the best.

Do You Believe in Ghostery?


*ba-domp ching!*  For those who haven’t heard of Ghostery, it’s a web privacy-themed company; they’re the developers of the Ghostery browser extension.  The extension monitors the various web servers that are being called upon from any given webpage, and makes them correspond with a list of data collection tools (a.k.a. trackers).

And yes, I realize it’s already been reviewed on Lifehacker and other sites, but I still wanted to take a stab at it, and not just take everyone else’s word for it.

With Ghostery enabled, each time you visit a webpage, it searches for all the trackers connected to that site, and compiles them into a neat list, which it will display each time you access a new site:

ghostery blocklist

If you then look at the icon displayed on your menu bar, a little number should be showing next to it, indicating how many trackers have been found on that specific site.  Click that icon, and a dropdown menu (called the “Findings Panel”) will list the specific names of the trackers.  From that menu, you can choose to block or allow any specific tracker:


Granted, as with Privacy Badger and some of the other privacy apps, if you disable all the trackers on certain sites, the sites won’t work properly.  This, of course, is why you have the option of enabling or disabling each tracker individually.

If you only want to temporarily pause blocking so that you can use all of a site’s functions, then that’s what the “Pause Blocking” button is for.  On the other hand, if you trust a site completely, you can click “Whitelist Site.”

Like this blog, right?  You trust me, don’t you??


All in all, I’ve found Ghostery to be quite useful, but I choose to opt out of their GhostrankTM feature, which “collects anonymous data about the trackers you’ve encountered and the sites on which they were placed.” In theory, this feature is used to help businesses market themselves more transparently (and in a less intrusive way), but it’s also a way for Ghostery to make money – hey, did you think they were doing this for free?

Finally, under its options, Ghostery will show you a list of trackers that it’s blocked, in different categories (e.g. Advertising, Analytics, etc.).  You can choose to enable or disable any of these functions in order to optimize your web experience.


Cockblock Plus…I mean…Adblock Plus


Excuse me, little Freudian slip there!! This is what I meant:


Adblock Plus is, in a sense, very similar to Ghostery. Sometimes, however, they block different trackers (or different types of trackers).

Actually, one immediate difference that I noticed between ABP and Ghostery was that Ghostery tells you which specific domains it’s blocking, whereas ABP doesn’t.  It merely tells you how many ads its blocked on that page, as well as how many in total.

As a matter of fact, this initially appears to be a disadvantage, because it’s kind of an “all-or-nothing” approach.  However, ABP has a different method for blocking specific elements on a page.

If you right-click on certain page elements, a menu like this should appear (this one’s for Chrome) :

dropdown menu

Click the option that says “Block element.”  Another window should appear, listing the specific page element – you can then add that to your “blacklist” of blocked elements.


All in all, Adblock Plus works similarly to Ghostery, but after playing around with it a little, it seems slightly more geared toward the techies among us (me included)!  So really, which one you use (if any) is just a matter of personal preference.

That being said, these are far from the only privacy tools available – perhaps I shall save the rest for a future post.

In the meantime, I’m going to go back to hiding in my paranoia shelter.



A Chat With Jobi – Creator of Candle Search Engine

by Secrets of the Dark

Candle search

Those of you who’ve used the Tor network probably know that it can be very hard to navigate at times, even when using the different pages that share links.  In fact, I too, can relate to this – the first time I used it, I just relied on some of the link lists, which turned out to be semi-disastrous.

It does, of course, have its search engines, including not Evil, Ahmia, Grams, Sinbad, and the search engine in question – Candle, which can be accessed at Candle Search Engine.(Once again, don’t forget to access it through Tor.)

Candle’s memorable motto is “no parentheses, no boolean operators, no quotes, just words.”   I recently interviewed its creator, who goes by the name “Jobi.” If you’re unfamiliar with how search engines work in general, read on, and you’ll gain some insight!

In his words, he chose the name “Candle” because it:

  • “has the right amount of letters
  • Ends with ‘le’
  • Refers to a thing that brings light in darkness…
  • …but not a lot.” Reddit: Candle (a search engine)


This is how I picture Candle – I’m visual that way.

When we spoke initially on Reddit, I had asked Jobi why he wrote Candle.  He said, “I wrote Candle because it was a challenge.  To see if I could do it and how it would turn out.  It was not designed to be a ‘dark net search engine’, just a search engine.  It could index anything.  I chose to index the Tor web for a couple of reasons.  Mostly because it is nice and small.

“Candle runs on a Macbook.  I don’t have fiber connected server farms.  For me, indexing the real web would be like sucking down an ocean through a garden hose; indexing the Tor web is like sucking down a bathtub through a straw.  Neither are ideal but the latter is not impossible.  Also, the Tor web isn’t that well indexed, so it would be more useful.”

If you happen to be on the Tor network and feel lost, I’d recommend trying out Candle; anyhow, on to the meat of the interview!

Secrets of the Dark: What is your background with regard to coding and web development? (i.e. Do you have formal schooling in programming?)

Jobi: Yes. I studied computer science, and have been coding professionally for almost 20 years.

I have very little experience in web development. I can write HTML 1.0 and…some [Javascript], but that’s it. Candle only produces very few different pages; they are pretty much identical and very simple. All self contained, no external resources.

SOTD: What have been your experiences with running a Tor node?  Have you experienced any harassment or difficulties in the process?

J: No.  It just runs by itself.  I have never talked to my ISP about it and they have never contacted me.  Some web sites block me, but none that are important to me.  My relay is not an exit.  It is just a small relay on a low power machine, a single core 16Ghz Atom.

SOTD: Prior to creating Candle, what are some software projects you have worked on?

J: I created a clickable map of the universe of some space RPG.  It uses only HTML and javascript [sic].  I created a thing where you can upload a picture and it converts it into a format suitable to Flash on phones as a boot-up screen.  It uses PHP to invoke shell scripts.  This is probably [the] most serious web development project I’ve done.

SOTD: You said that you ‘wrote Candle because it was a challenge.’  Do you think that the result you came up with was a successful answer to that challenge?

J: I came across a bunch of issues that I didn’t know before I started.  Mostly things that are a bit fuzzy, that you can not just calculate.

It took a lot of tweaking and tuning in order to prevent lots of rubbish in the index, without filtering out good data. Wikis and forums have lots of links that are just not worth crawling. [My sentiments exactly! – Ed.]

I am very conservative about what I consider a ‘word’: Anything under 3 letters is not a word.  Anything with a non-letter in it is not a word.  Anything with more than 3x the same letter in a row is not a word.  Etc…

In the end I’m quite happy with the quality of the index.

SOTD: I’ve noticed that Candle only returns the top 20 search results (as opposed to all of them). Why did you design it this way?

J: It is part of keeping it lightweight. It also prevents Candle from becoming a tool for others to just suck down the entire index.

Having a ‘next page’ button would mean I’d either have to redo the query, or cache results in ‘sessions’.

SOTD: What kind of work do you do professionally? Is it related to software development, or is that a hobby?

J: I’m a software developer. My day to day work happens in C and C++.

SOTD: Even though a developer, like a magician, might ‘never reveal his secrets,’ would you be willing to give a basic explanation of how the Candle search engine is different from other popular search engines?

J: I don’t believe that Candle is ‘more special’ than others. It is different because I didn’t use any standard framework and came up with my own solutions for things like filtering and ranking.

Also, there is nothing secret about it. I just can not open source it because it uses proprietary libraries from work.

SOTD: Would you be willing to talk about yourself a little (like your educational background)?

J: As I said in question #1, I have studied computer science.

But before that I already coded. As a kid, I got an 8 bit micro. It came with a thick manual and I was curious enough to teach myself how to program it. First in BASIC, then in assembler. This was before the Internet was a thing. Later, I got (access to) a PC and started learning Pascal and C.

SOTD: Did you work with others on this project, or was Candle designed solely by you?

J: I did it solely by myself. At first I never even told anyone it was running. At some point [it] was discovered and the number of hits slowly started to ramp up.

SOTD: Have you ever used other anonymity networks besides Tor (like I2P, Freenet, or GNUnet)? If so, what has been your experience with them? (Has it been positive, negative, or something in between?)

J: I have not. I don’t use Tor that much either, but when I do, it works well enough and I don’t have problems.

SOTD: Is there any kind of content that you try to exclude from Candle search results (such as child pornography)?

J: No. That would be a very slippery slope. Once I start filtering out one thing, I implicitly start condoning everything else.

SOTD: What sorts of changes might you make to Candle’s search algorithms so that it could improve (if any)?

J: The crawling is as good as it gets.

The search result ranking is basically good, but I do still tweak it a little bit from time to time. I do not have a very satisfactory strategy to determine the order in which I visit pages. I have way more URLs than I can visit in a reasonable time, but some URLs deserve to be on a higher rotation than others.

I might add [an] ‘onion history’ feature, where it shows when an onion was up/down, when the home page title changed, things like that. I already keep track of some of that, and I would have to look into how clean and useful that data is.

SOTD: Have people in the Reddit community given you good feedback about Candle, or about Tor in general?

J: I have had a bit of good constructive feedback, but most of it was just ‘hey that looks nice’. Nobody was negative about it, i.e. ‘You suck for making this’.

SOTD: What advice might you give to someone who says, ‘I’d like to develop my own search engine – where should I start?’

J: You can always start with a crawler: read a page with links, parse it, extract the links, add those URLs to your list.

Have it crawl for a few hours, then look at your dataset and see what’s in there that shouldn’t [be].

Come up with filtering rules for those and then restart clean. Repeat this until you are happy with the dataset.

You should also determine your feature set early on. For example, in Candle you can only search for individual words, not phrases.

For certain features it might be necessary to keep copies of the content you index. I decided I didn’t want that.

SOTD: You had told me that ‘With Candle, I try to deliver diverse results. It won’t return multiple results from the same onion, or from the same ‘identical/very similar’ onion.” Would it be possible to explain a little about how this is done?

J: When you enter some words, I look up all the URLs that have those words in it. This might contain multiple URLs from the same onion domain. If so, I only keep the ‘best’ one. It also might contain URLs from onions that are mirrors/copies/clones of each other. This is harder to determine.

Since I don’t keep copies of content, I have to base ‘identicality’ on stats and metadata like title, size, number of words, links, etc. (Have you noticed the ‘onion:…’-link underneath each result?)

Which one is the best is based on how often the words occur, how strong those words are, how many words the page has, etc.

SOTD: What projects are you currently developing, or do you plan to develop, if given the time?

J: I got an Arduino for Christmas, so currently my evening hours are devoted to making LEDs flash.

Writing Candle was really just an exercise for myself. I am still surprised about the amount of use it gets every day.



(Well Jobi, I’m glad you created it – and I’m sure millions of other Tor users are too!)