You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
pwgen has a long history of generating insecure passphrases. up until
2014 (pwgen 2.07, shipped only in Debian jessie, and Ubuntu Vivid) it
had two serious security vulnerabilities (CVE-2013-4440 and
CVE-2013-4442) that specifically affect pass. it still defaults to an
insecure "phoneme" password generation, although pass uses the more
secure "-s" flag. more information about those issues and more can be
found in those discussions: http://www.openwall.com/lists/oss-security/2012/01/22/6 http://www.openwall.com/lists/oss-security/2013/05/24/7
it is still unclear how actually secure the --secure flag is: the
manpage doesn't say how much entropy is actually used to generate
passwords. (according to a quick review of the source code: each
character is chosen randomly based on a byte taken from the
non-blocking /dev/urandom PRNG, and not all bytes are used in some
cases, wasting possible entropy.)
I'll seriously consider replacing pwgen. I didn't know it was so
horrible. I'll investigate and make a decision.
But on the other hand . .
I think we need a pluggable password generator, so at least we don't have to
argue and people can use whatever generator they prefer. And as for a
default, well pwgen is (in my opinion) better than the one in that patch.
Next release of pass will be generally pluggable, so I'll consider this.
So yah, let's see about possibly replacing pwgen . .
I'm thinking 2 string fields, one for the application (eg. /usr/bin/pwgen or /usr/local/bin/apg or even ~/bin/hsxkpasswd or something like that) and the second for command line parameters (like -s -a 1 -m 63 -n 4)
Or possibly even a set of different presets (for the generator dropdown to choose from) . .
I would want a dropdown with different generators to pick from (maybe with a "custom" selection so users can use their own), with different check boxes for each selection to select different parameters.
Some highlights . .
https://lists.zx2c4.com/pipermail/password-store/2016-December/002534.html
https://lists.zx2c4.com/pipermail/password-store/2016-December/002536.html
But on the other hand . .
So yah, let's see about possibly replacing
pwgen
. .I'm thinking 2 string fields, one for the application (eg.
/usr/bin/pwgen
or/usr/local/bin/apg
or even~/bin/hsxkpasswd
or something like that) and the second for command line parameters (like-s -a 1 -m 63 -n 4
)Or possibly even a set of different presets (for the generator dropdown to choose from) . .
Loosely related: #238
The text was updated successfully, but these errors were encountered: