[freeflight]

For completeness sake, this is probably the comic you are referencing: https://xkcd.com/936/

[shpx]

    curl -s https://raw.githubusercontent.com/first20hours/google-10000-english/master/google-10000-english-no-swears.txt | shuf | head -n 4 | tr '\n' ' '; echo
    mine wear vacation mostly

log2(10^16) = 53 bits of entropy or 300 years if your attacker can do a million guesses per second (the link says 1000 keys per second, but that's on the CPU).

You could also use `cat /usr/share/dict/words` instead of the `curl`, which is a much larger word list, but you get impractical passwords like "globular cellulose's malnutrition's dangling".

[icebraining]

Careful, shuf is not cryptographically safe by default! You need to pass --random-source=/dev/urandom to get a proper RNG.

https://www.gnu.org/software/coreutils/manual/html_node/Rand...

[shpx]

Why does shuf implement its own random number generator? Why isn't /dev/urandom the default?

https://sockpuppet.org/blog/2014/02/25/safely-generate-rando...

[icebraining]

shuf is not a crypto tool, and the GNU coreutils are written to be cross-platform, even where /dev/urandom doesn't exist, or is unreliable. That's my guess, at least.

[joshjje]

Nice, yes that was the one, thanks.