[yarwelp_]

On the topic of passwords, have a look at my command-line passphrase generation program.

GitHub: https://github.com/ctsrc/pgen

It's written in Rust. Install the Rust toolchain installer from https://rustup.rs/

    curl https://sh.rustup.rs -sSf | sh

And remember to add ~/.cargo/bin to your PATH.

Then install my command-line utility

    cargo install pgen

Usage is described in detail in the README on GitHub. Additionally you can ask the program itself for a brief help summary.

    pgen --help

Eventually pgen will be available in some package manager repos so that you can use your preferred package manager to install pgen but until then it must be built from source following the steps above.

[erAck]

https://defuse.ca/passgen.htm uses /dev/(u)random on Linux and CryptGenRandom() on Windows, with source code on GitHub for Linux https://github.com/defuse/passgen and https://github.com/defuse/WinPassGen

Without a pile of dependencies :P

[yarwelp_]

Mine makes use of a friendly wordlist so that is my selling point, though I forgot to mention that because it already says so in my README but I should have said it in my comment too.

[erAck]

The other passgen also can use a wordlist.

[blibble]

personally I've always just done:

    </dev/urandom base64 | head

and picked a bit I liked

[ChrisSD]

Picking the bit you like makes it hard to reason about how secure that is. It could be your preferences are much narrower than you realise. If you're going for something you find aesthetically pleasing or memorable then that's probably going to seriously limit password entropy. On the other hand if you're trying to pick something that "looks random" then you should know humans are terrible at that.

[recursive]

20 perfectly random characters from a base64 stream have 20*6 = 120 bits of entropy. If you pick 20 characters from out of 1000 choices you can see on the screen, that would seem to remove at most 10 bits of entropy, no? (2^10 ~~ 1000)

[blibble]

"picked a bit I liked" means selecting a length suitable for the site without any weird characters that the site will reject, not trying to find my place of birth in the output!

[ChrisSD]

Ah ok, that makes more sense! I'm just so use to people telling me they "like" their password to be the name of their cat. :P

[cookiecaper]

I dunno, I wouldn't discount this entirely. An advanced targeted attack could likely profile a user for their "likes" in a random string (e.g., favorite letters appearing often), but in the case of anonymous, brute-force-style attacks, "I just click things and scroll around until I see something I like" is probably really useful. It could, for example, protect against a somewhat predictable generator, since you won't know "the user always uses the first password, and the first password is always seeded incorrectly", or some other specific implementation flaw.

[pbhjpbhj]

I do similar filtering to :graph:, or :alnum:, and dropping some characters.

What I keep meaning to do is optimise for different entry mechanisms, I know it reduces strength but going from lower to UPPER to specials to UPPER to lower to additional-specials, etc., is a huge pain on a 5-key entry system (eg FireTV).

[dbaupp]

FWIW, 'cargo install' is designed to be for distributing dev-tools, rather than for end-user tools. I believe https://github.com/japaric/trust is designed to make it very easy to publish Github Releases from CI systems.

[yarwelp_]

I don't want to be distributing pre-compiled binaries because I don't want others to trust random pre-compiled binaries.

The plan as I said is to get pgen into some package manager repos. Until then building from source will be the only way I will encourage anyone to get a copy of my tool.

[dbaupp]

I don't think encouraging people to download the precompiled Rust binaries and then blindly compile code downloaded from crates.io is that much different in practice to providing your binaries.

[yarwelp_]

I linked the GitHub repo first. The code is short and the assumption is that you would have a quick glance over the source before you compile it.

[dbaupp]

If you're trying to encourage people to implicitly trust as few things as possible, I'm not sure your suggested steps are enough: there's no connection between the code in pgen on crates.io and that repository. Even setting aside the prebuilt rust and cargo, I think there would have to be a guarantee that the code being built is the code the suspicious user actually inspected:

  git clone https://github.com/ctsrc/pgen
  cd pgen
  less src/main.rs build.rs # etc.
  cargo install # (installs the current package)

And, one would have to somehow do the same for the dependencies clap and rand, to ensure the code that is built is the code that is inspected.

It's true that avoiding pre-built binaries does avoid issues with the computer that builds them, and problems with the distribution mechanism, but instead distributing as source from external package repositories (and packages maintained by others) seems like it's losing convenience without gaining much security.

In any case, neat project! I like the option to throw physical dice.

[ChrisSD]

That looks like a decent tool but I wonder about its use case. The passwords are far too long to be entered on anything without a dedicated keyboard and you'd not want to be typing them in too often.

Sure, there are some use cases that fit but there's many more that don't.

[kristianp]

I usually use apg for this purpose, installed with on ubuntu:

    sudo apt install apg

[ufo]

I think I would have a hard time memorizing 12 word passphrases

[dmitrygr]

A personal question. Do people really install megabytes of dependencies to run what would be a one line shell script, were it written in shell?

[funkymike]

A bigger issue is blindly executing "curl ... | sh -" for something you are going to use to generate passwords (though it's bad in general).

[yarwelp_]

That is the official way that you install the Rust toolchain. https://www.rust-lang.org/en-US/install.html

Rust is still undergoing changes frequently enough that most package manager repos have a very old version of the Rust toolchain in terms of what it is capable of doing.

For example the version of rustc that you get from Ubuntu default repositories was too old to compile my pgen when I checked some weeks ago.

And exactly because the tool is for generating passwords I don't want to distribute pre-compiled binaries of my tool myself, and therefore until I get pgen itself into package manager repos I tell people to download the Rust toolchain and to build my tool from source themselves as I did above.

[tomsmeding]

You wouldn't manage that with a one-line shell script, assuming that you want to format it reasonably. :)

I do agree that having to install loads of things for a simple tool is overkill, but I'd wager the actual binary produced doesn't have many dependencies (I'd expect just libc, in fact); so would this at some point land in a package manager, your life will improve.

[kbenson]

Well...

    CHECKPW="p@ssword" SHA1=`echo -n "$CHECKPW" | sha1sum`; curl -s https://api.pwnedpasswords.com/range/${SHA1:0:5} | grep -i ${SHA1:5:34}

[skykooler]

Note that this command doesn't work if your password contains an exclamation mark.

[yarwelp_]

I wrote this as a replacement for what was previously a function in my .bashrc because of two things:

1) My shell function was too slow. There was a noticeable delay and it became annoying. The tool I wrote in Rust is insanely fast. Life improved!

2) The wordlist I used to use would use /usr/share/dict/words. These words are not good for typing because there are a lot of weird and arcane words in that list. The new tool I wrote has an optimized wordlist made by the EFF (read about it in the README) compiled right into it.

Regarding your question about installing other dependencies, like I said I will eventually get it into package managers. The pgen utility is a single binary. My assumption until then is that the people interested in my tool also happen to be interested in Rust and that therefore installing the Rust toolchain to use my tool will also give them motivation to get back into learning Rust like they at some point started doing. This was intentionally unstated but now you made me say it :)

[Pxtl]

Mental bandwidth is more expensive than megabytes, so yes.