It means, that pwgen is probably quite sophistically tuned also for the high entropy, and not only to produce easily pronouncable passwords.ģ6 bit is not enough defense against gpu-accelerated, clustered brute force attacks. Typically, text data can be compressed to around 10% of its original size, while xz could reach only a 60% ratio. Note: although the output was a text file, xz could compress it only with a surprisingly bad ratio. Replayed measurements didn't show a significant dispersion.īased on this, the entropy of a single, 8 byte-long pwgen password is 8*8*593412/1048576 = 36.2 bits of entropy. Generates an 1MB long password, compresses it with the best known flags of the best known compressor, and measures the size of the output. The command pwgen 1048576|xz -9ve -|wc -c But I think we can use a strong compressor to approximate the entropy. Prompt before overwriting existing password unless forced.An exact answer would require a deeper analyzis of the pwgen source code, or a more exact measurement. Optionally put it on the clipboard and clear board after $CLIP_TIME seconds. + Generate a new password of given entropy (or $GENERATED_ENTROPY if unspecified). Generate a new password of pass-length (or $GENERATED_LENGTH if unspecified) with optionally no symbols. COMPREPLY+=($(compgen -W "-n -no-symbols -c -clip -f -force -i -in-place" - $. The location of the text editor used by \fBedit\fP.ĭiff -git a/src/completion/pass.bash-completion b/src/completion/pass.bash-completion If \fI-clip\fP or \fI-c\fP is specified, do not print the password but instead copy +\fIpass-entropy\P bytes from \fI/dev/random\fP en base64 encoding them. +Generate a new password of given entropy \fIpass-entropy\fP (or \fIPASSWORD_STORE_GENERATED_ENTROPY\fP if unspecified) is specified, do not use any non-alphanumeric characters in the generated password. of length \fIpass-length\fP (or \fIPASSWORD_STORE_GENERATED_LENGTH\fP if unspecified) The ordinary \fITMPDIR\fP location, and print a warning. If \fI/dev/shm\fP is not accessible, fallback to +++ -111,12 +111,10 ensure that temporary files are created in \fI/dev/shm\fP in order to avoid writĭifficult-to-erase disk sectors. (defun password-store-run-generate (entry password-length &optional force no-symbols) Src/password-store.sh | 21 ++++++++++++-ħ files changed, 21 insertions(+), 24 deletions(-)ĭiff -git a/contrib/emacs/password-store.el b/contrib/emacs/password-store.el Src/completion/pass.zsh-completion | 4 +. Src/completion/pass.fish-completion | 1. Src/completion/pass.bash-completion | 2 +. that way people could use diceware, pwqgen Ideally, the password generation program would be made configurable This removes a dependency and encourages stronger passwords. Refuses -e) - I assume this can be fixed in the BSD ports. We depend on GNU coreutils' base46 command because its CLI isĭifferent from the traditionnal BSD one (BSD requires -e or -d, GNU Know how much entropy a given pwgen password has, as it's Over the entropy level than what pwgen provides: we don't actually Retain the same default to make this patch more acceptable.īase64 passwords are more portable and incur only a ~13% size increaseĬompared to original byte stream. we could even cram an extra byte in there to getġ68 bytes of entropy and keep 28 character passwords, but I chose to Round numbers, which would give us 160 bits of entropy and 28Ĭharacter passwords. 20 bytes may be better because we like to think in Source of entropy (UNIX has /dev/random) and turn bytes intoĪ 18 bytes password contains (naturally) 144 bits of entropy andīase64 turns that in a 25 character password, the current default Since we use pwgen only to generate passphrases, it seems reasonable Non-blocking /dev/urandom PRNG, and not all bytes are used in some (according to a quick review of the source code: eachĬharacter is chosen randomly based on a byte taken from the Manpage doesn't say how much entropy is actually used to generate It is still unclear how actually secure the `-secure` flag is: the more information about those issues and more can be Insecure "phoneme" password generation, although pass uses the more Had two serious security vulnerabilities (CVE-2013-4440 andĬVE-2013-4442) that specifically affect pass. up untilĢ014 (pwgen 2.07, shipped only in Debian jessie, and Ubuntu Vivid) it Pwgen has a long history of generating insecure passphrases. Previous message: Error reencrypting password store.Stop using pwgen Antoine Beaupré anarcat at
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |