This generates the password on a server you don't control.
I recommend not using it.
Using 'tr -dc A-Za-z0-9 < /dev/urandom | head -c $length' is more secure and available on your linux or osx machine even more easily than waiting a second for a server to run some java off in a magic black box.
You can also try indexing into /usr/share/dict/words for a correcthorsebatterystaple-style password. I'm sure there's a cute on-liner, I did it in Python because that took a lot less time than all the man page searching how to do it with Unix text processing tools would have taken.
Yes, it would be better to remember random characters of the same length. But most people don't. I personally have one password I use to sign into 1password and a small other set of critical services, and longer random passwords for everything else. I personally don't worry about nation state adversaries so I can make myself less vulnerable to mass automated attacks and targeted attacks by non-experts. It's important to remember not to let perfect be the enemy of the good, and important not to discount the cost of DOSing yourself. I reduced my security after I lost access to something of value.
Thanks! I'm trying to learn bash, and it's going slow (right now still trying to fully understand set -euxo pipefail). I would not have guessed that a command existed to make random permutations, I was expecting an awk incantation.
Thank you. I think it's a testament to the power of unix that two different people responded with solutions using different commands. I should have thought of sort, it feels natural in retrospect. Am I right in believing bash pipes are lazy enough that that won't require sorting the whole file, just pulling out four random lines?
As a side note, I'm guessing grep had -v before it became a standard for verbose? That's one of the hardest parts: it seems open source tools never change UI to help new users at the expense of old ones having to change workflows. A valid way of doing it, and as someone who's never contributed to anything open source I have no place to criticize. Just saying makes it harder. (And I'm realizing I haven't used any closed source software from a comprable time, so I have no idea if this is FOSS-specific)
I don't think grep was originally open source. FWIW, the nemonic for -v on grep is inVert. I'm so happy that --long_options are a thing nowadays, much more readable.
I'm pretty sure that head pulls from up in the pipeline line-by-line. Interesting to know the mnemonic. Many modern command-line utilities use -v for verbose logging, in my (limited) experience.
From the perspective of someone who's just getting started with learning to code, perl seems like a pile of spermaceti: was once very important, could be turned into beautifully smelling products so long as you didn't pay too much attention to the production process, and no longer needed because of modern synthetics :)
But I've only ever read people mocking perl, never built anything with it. It appears immensely powerful, but collapsing arrays by default makes no sense at all.
I will, I hope, someday. I want to get an intermediate knowledge of Lisp, or C, or Rust first I think. I know a bit of Python, and think I'd prefer to learn something more different than it next. My impression is that Python is a less whimsical more enterprise-y and conformist sibling of ruby.
It looks cool, but I'd rather use completely independent random passwords. You seem like a nice person, but I don't trust you you to have gotten your crypto totally right. Someday I'll describe how a massive flaw in my understanding of gpg and pass let me recover from loosing my gpg key.
One small comment: the password I remember is the password I type, or I run into issues. If the sentence has "the" and plurals, so will the password.
(This password I generated was only used as a master and for a handful of key services)
> You seem like a nice person, but I don't trust you you to have gotten your crypto totally right.
That's the correct position to hold. Note that my readme makes you read through big fat warnings and security considerations before getting to installation and usage instructions.
I did note that, and I agree you're completely correct to disclaim I shouldn't use your work if I would hB relying on its security. I chose to listen to you :)
If you get "tr: Illegal byte sequence" you can prepend 'LC_ALL=C ' before the 'tr' to prevent tr from trying to treat the stream as a unicode sequence.
This isn't a great site or anything and you're right that password should be generated client-side. But not everyone is one Linux or Mac and sometimes it's just easier to Google "password generator" than remembering that command.
There are plenty of actually secure and usable password generators, such as the one integrated with keepass / 1password / etc.
I'm sure there are secure websites to do it too. This isn't it though.
The dropbox comment isn't relevant. It's a bias to say "I remember this thing was criticized in a similar way but succeeded" and map that on to "so other criticisms aren't valid".
It's far more often than things seem unlikely to succeed to critics, and then quietly fail than that things seem unlikely to succeed to critics, but then succeed. After all, almost everything ever made doesn't see widespread success.
Our brain does remember the latter cases more, and that leads to the bias.
I see it most commonly with the phrase "X started out small too" as a defence for why something small will grow to something big, when in reality that's cherry picking massively.
Such websites have to be audited every single time you use it. Even if I only have a web browser and nothing else I would combine random.org and diceware.com instead of trusting some website.
Password managers and browsers themselves can generate passwords. Generating passwords with a website it a terrible idea, googling "password generator" and going to some random website is an even worse variant of the same idea.
I find it bizarre that you have exactly 3 comments in 5 years, all of which are on dbremmen's posts, who happens to be the creator of browxy [0].
Forgive me if I don't trust my password generation on the servers of someone who is either sock-puppeting, or having a friend do something that does not look all that different.
Even if I trust the person who runs the browxy website and servers, I don't trust my password generation to a multi-tenet environment. Browxy is running this code in docker containers on a machine with many other docker containers running arbitrary user-submitted code. The intel vulnerabilities over the past year or so have made it incredibly clear that running sensitive code on the same CPU as totally untrusted and possibly malicious code is a dangerous proposition and there are numerous potential side channels to exfiltrate data.
Trusting password generation to a website that generates passwords on a shared machine is even worse than the usual password generation website which at least uses javascript/securerandom to do it on my CPU.
Yes you right I just created this password generator for fun in the browxy online compiler. The UI is auto-generated with a tool that the site provide. I'm just curious why this tool caused so many interest and wondering what other tools can be built that cause this type of interest...
I created something similar ~2 decades ago in perl. It would spit out a long list of passwords in text format so you could chose one without the server knowing what you chose.
That's a nice idea! I just created this password generator for fun like other utilities in java but I don't know just this one generated so many interest. You can see the source code using the button to the bottom right (the one that has 1's and 0's)
Thanks for all the nice comments that are intended with good karma. What other feature can I add to this password generator that is useful? I agree that using linux is more secure but for passwords that are not as important I think this tool works fine, also you don't need to remember a big line of code and you can execute it on your mobile phone
It seems surprisingly complicated. Why is there a “start” and “stop” button? Why does it take so long for it to generate a random string? Why is there a “console” that just seems to show the page template?
You right! Console and stop button are not necessary. The UI is generated with a UI creation tool that match program arguments with UI widgets (see: https://ibb.co/phQQFxr). In this case there is an option missing to don't show the stop button and the console (These are shown due that you can create interactive programs with browxy)
I recommend not using it.
Using 'tr -dc A-Za-z0-9 < /dev/urandom | head -c $length' is more secure and available on your linux or osx machine even more easily than waiting a second for a server to run some java off in a magic black box.