There’s a strong assertion that it’s a bad idea, but no actual reasons given. The link doesn’t address it. So I asked the question.
So far the answers have been downvotes and evasive questions, so I’m leaning toward the idea I stepped into some kind of ideological thing. That’s fine, I don’t really care so I withdraw the question.
It is mostly ideology. But using something like random.org does raise your risk profile.
Random.org or any of their partners or your browser or the connection between you and random.org could all potentially be compromised.
If someone knows that you always generate your random salts with that site, they could potentially use past generated strings to reverse engineer your crypto.
Of course, very few password generators are only going to use the random seed you gave it. You would also need to know possibly the exact microtime and a ton of other variables to be able to "replay" the same scenario and generate a copy of the key.
The strength of your crypto is based on how unpredictably random the data you provide it is.
Assuming random.org is not the only source of random that your application used, it's probably fine.
If not, and reusing that same random string will produce the same output, it is quite dangerous. Especially if you are screen sharing. Someone tied to the project could easily figure out the output by copying the random string from the video.
I think it’s a good question! For me personally I feel that urandom is the right thing to do. Perhaps I’m overly cautious but I don’t think it’s prudent to include an external dependency when there is a good local alternative included in most systems. urandom is very solid. If one’s network connection goes down or random.org goes down, one can still generate randomness without problems.
I get there’s a nice advantage to not making a request to a remote service, but that’s situational.