pass is apparently switching out pwgen #264
Description
Some highlights . .
https://lists.zx2c4.com/pipermail/password-store/2016-December/002534.html
pwgen has a long history of generating insecure passphrases. up until
2014 (pwgen 2.07, shipped only in Debian jessie, and Ubuntu Vivid) it
had two serious security vulnerabilities (CVE-2013-4440 and
CVE-2013-4442) that specifically affect pass. it still defaults to an
insecure "phoneme" password generation, although pass uses the more
secure "-s" flag. more information about those issues and more can be
found in those discussions:
http://www.openwall.com/lists/oss-security/2012/01/22/6
http://www.openwall.com/lists/oss-security/2013/05/24/7
it is still unclear how actually secure the--secureflag is: the
manpage doesn't say how much entropy is actually used to generate
passwords. (according to a quick review of the source code: each
character is chosen randomly based on a byte taken from the
non-blocking /dev/urandom PRNG, and not all bytes are used in some
cases, wasting possible entropy.)
https://lists.zx2c4.com/pipermail/password-store/2016-December/002536.html
I'll seriously consider replacing pwgen. I didn't know it was so
horrible. I'll investigate and make a decision.
But on the other hand . .
I think we need a pluggable password generator, so at least we don't have to
argue and people can use whatever generator they prefer. And as for a
default, well pwgen is (in my opinion) better than the one in that patch.
Next release of pass will be generally pluggable, so I'll consider this.
So yah, let's see about possibly replacing pwgen . .
I'm thinking 2 string fields, one for the application (eg. /usr/bin/pwgen or /usr/local/bin/apg or even ~/bin/hsxkpasswd or something like that) and the second for command line parameters (like -s -a 1 -m 63 -n 4)
Or possibly even a set of different presets (for the generator dropdown to choose from) . .
Loosely related: #238