New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pass is apparently switching out pwgen #264

Closed
annejan opened this Issue Dec 19, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@annejan
Member

annejan commented Dec 19, 2016

Some highlights . .

https://lists.zx2c4.com/pipermail/password-store/2016-December/002534.html

pwgen has a long history of generating insecure passphrases. up until
2014 (pwgen 2.07, shipped only in Debian jessie, and Ubuntu Vivid) it
had two serious security vulnerabilities (CVE-2013-4440 and
CVE-2013-4442) that specifically affect pass. it still defaults to an
insecure "phoneme" password generation, although pass uses the more
secure "-s" flag. more information about those issues and more can be
found in those discussions:
http://www.openwall.com/lists/oss-security/2012/01/22/6
http://www.openwall.com/lists/oss-security/2013/05/24/7
it is still unclear how actually secure the --secure flag is: the
manpage doesn't say how much entropy is actually used to generate
passwords. (according to a quick review of the source code: each
character is chosen randomly based on a byte taken from the
non-blocking /dev/urandom PRNG, and not all bytes are used in some
cases, wasting possible entropy.)

https://lists.zx2c4.com/pipermail/password-store/2016-December/002536.html

I'll seriously consider replacing pwgen. I didn't know it was so
horrible. I'll investigate and make a decision.

But on the other hand . .

I think we need a pluggable password generator, so at least we don't have to
argue and people can use whatever generator they prefer. And as for a
default, well pwgen is (in my opinion) better than the one in that patch.

Next release of pass will be generally pluggable, so I'll consider this.

So yah, let's see about possibly replacing pwgen . .

I'm thinking 2 string fields, one for the application (eg. /usr/bin/pwgen or /usr/local/bin/apg or even ~/bin/hsxkpasswd or something like that) and the second for command line parameters (like -s -a 1 -m 63 -n 4)

Or possibly even a set of different presets (for the generator dropdown to choose from) . .

Loosely related: #238

@betsythefc

This comment has been minimized.

betsythefc commented Dec 19, 2016

I would want a dropdown with different generators to pick from (maybe with a "custom" selection so users can use their own), with different check boxes for each selection to select different parameters.

@annejan

This comment has been minimized.

Member

annejan commented Feb 28, 2017

I'm closing this issue in favour of #296

@annejan annejan closed this Feb 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment