[TheDong]

This generates the password on a server you don't control.

I recommend not using it.

Using 'tr -dc A-Za-z0-9 < /dev/urandom | head -c $length' is more secure and available on your linux or osx machine even more easily than waiting a second for a server to run some java off in a magic black box.

[iudqnolq]

You can also try indexing into /usr/share/dict/words for a correcthorsebatterystaple-style password. I'm sure there's a cute on-liner, I did it in Python because that took a lot less time than all the man page searching how to do it with Unix text processing tools would have taken.

Yes, it would be better to remember random characters of the same length. But most people don't. I personally have one password I use to sign into 1password and a small other set of critical services, and longer random passwords for everything else. I personally don't worry about nation state adversaries so I can make myself less vulnerable to mass automated attacks and targeted attacks by non-experts. It's important to remember not to let perfect be the enemy of the good, and important not to discount the cost of DOSing yourself. I reduced my security after I lost access to something of value.

[archgoon]

shuf -n 4 /usr/share/dict/words | tr '\n' ' ' && echo

[iudqnolq]

Thanks! I'm trying to learn bash, and it's going slow (right now still trying to fully understand set -euxo pipefail). I would not have guessed that a command existed to make random permutations, I was expecting an awk incantation.

[TheDong]

Your cute one-liner for 4 words:

sort --random-sort /usr/share/dict/words | head -n 4 | tr -d '\n'

You may wish to omit words that have "'" characters, in which case you may throw in a grep -v "'" after the sort.

[iudqnolq]

Thank you. I think it's a testament to the power of unix that two different people responded with solutions using different commands. I should have thought of sort, it feels natural in retrospect. Am I right in believing bash pipes are lazy enough that that won't require sorting the whole file, just pulling out four random lines?

As a side note, I'm guessing grep had -v before it became a standard for verbose? That's one of the hardest parts: it seems open source tools never change UI to help new users at the expense of old ones having to change workflows. A valid way of doing it, and as someone who's never contributed to anything open source I have no place to criticize. Just saying makes it harder. (And I'm realizing I haven't used any closed source software from a comprable time, so I have no idea if this is FOSS-specific)

[tingletech]

I don't think the pipe could know that head will have the -n 4. In what context is -v standard for verbose?

edit: This stack exchange seems to relevant https://stackoverflow.com/questions/45326901/lazy-non-buffer...

I don't think grep was originally open source. FWIW, the nemonic for -v on grep is inVert. I'm so happy that --long_options are a thing nowadays, much more readable.

[iudqnolq]

I'm pretty sure that head pulls from up in the pipeline line-by-line. Interesting to know the mnemonic. Many modern command-line utilities use -v for verbose logging, in my (limited) experience.

[anon9001]

Here's a perl one for fun :)

  perl -MList::Util=shuffle -0ane 'print ((shuffle @F)[0..3],"\n")' < /usr/share/dict/words

[iudqnolq]

Why thank you :)

From the perspective of someone who's just getting started with learning to code, perl seems like a pile of spermaceti: was once very important, could be turned into beautifully smelling products so long as you didn't pay too much attention to the production process, and no longer needed because of modern synthetics :)

But I've only ever read people mocking perl, never built anything with it. It appears immensely powerful, but collapsing arrays by default makes no sense at all.

[anon9001]

Perl's problem is that it's more confusing than it is powerful.

I think most of the people who were into Perl for the "beauty" ended up going to ruby.

People who were into it for CPAN went to python.

You might find this interesting, as you can see the spirit is alive and well: https://github.com/learnbyexample/Command-line-text-processi...

  ruby -0ane 'print $F.shuffle[0..3].join,"\n"' < /usr/share/dict/words

If you're intrigued by the idea of perl one-liners, go explore ruby.

[iudqnolq]

I will, I hope, someday. I want to get an intermediate knowledge of Lisp, or C, or Rust first I think. I know a bit of Python, and think I'd prefer to learn something more different than it next. My impression is that Python is a less whimsical more enterprise-y and conformist sibling of ruby.

[anon9001]

My unsolicited advice: Don't worry too much about specific languages. The most valuable thing you can do is get a strong command of *nix and solve a lot of real-world problems with it. Make it your desktop OS and spend a lot of time with it. Build yourself a router. Make a RPi do something to improve your life. Take some cloud service you use and figure out if you could do it the libre way yourself. Build your own NAS. Bonus points if you learn vim or emacs while you're doing it.

Don't worry too much about the meta-narrative about the culture associated with each of the languages. The surveillance state is being built with python, but a lot of hardware hackers prefer python too. Ruby is praised for its flexibility, but its most successful project is literally called "Ruby on Rails" because it tells you exactly how to do everything.

The way people feel about languages goes in cycles, so it's good to be aware of it, but you can mostly ignore it. Use the best tools for the job. If the job is making computers do things, the best tool is unix :)

[lizmat]

Or Raku https://raku.org:

raku -e 'say lines.pick(4).join' < /usr/share/dict/words

[majewsky]

You might be interested in https://github.com/laerling/xkcdget, the correcthorsebatterystaple-type version of my own https://github.com/majewsky/pwget.

[iudqnolq]

It looks cool, but I'd rather use completely independent random passwords. You seem like a nice person, but I don't trust you you to have gotten your crypto totally right. Someday I'll describe how a massive flaw in my understanding of gpg and pass let me recover from loosing my gpg key.

One small comment: the password I remember is the password I type, or I run into issues. If the sentence has "the" and plurals, so will the password.

(This password I generated was only used as a master and for a handful of key services)

[majewsky]

> You seem like a nice person, but I don't trust you you to have gotten your crypto totally right.

That's the correct position to hold. Note that my readme makes you read through big fat warnings and security considerations before getting to installation and usage instructions.

[iudqnolq]

I did note that, and I agree you're completely correct to disclaim I shouldn't use your work if I would hB relying on its security. I chose to listen to you :)

[archgoon]

If you get "tr: Illegal byte sequence" you can prepend 'LC_ALL=C ' before the 'tr' to prevent tr from trying to treat the stream as a unicode sequence.

[aarreedd]

This isn't a great site or anything and you're right that password should be generated client-side. But not everyone is one Linux or Mac and sometimes it's just easier to Google "password generator" than remembering that command.

Your comment reminds me of the infamous Dropbox comment: https://news.ycombinator.com/item?id=9224

[TheDong]

There are plenty of actually secure and usable password generators, such as the one integrated with keepass / 1password / etc.

I'm sure there are secure websites to do it too. This isn't it though.

The dropbox comment isn't relevant. It's a bias to say "I remember this thing was criticized in a similar way but succeeded" and map that on to "so other criticisms aren't valid".

It's far more often than things seem unlikely to succeed to critics, and then quietly fail than that things seem unlikely to succeed to critics, but then succeed. After all, almost everything ever made doesn't see widespread success.

Our brain does remember the latter cases more, and that leads to the bias.

I see it most commonly with the phrase "X started out small too" as a defence for why something small will grow to something big, when in reality that's cherry picking massively.

[oefrha]

> there are secure websites to do it too.

Such websites have to be audited every single time you use it. Even if I only have a web browser and nothing else I would combine random.org and diceware.com instead of trusting some website.

[pvg]

Password managers and browsers themselves can generate passwords. Generating passwords with a website it a terrible idea, googling "password generator" and going to some random website is an even worse variant of the same idea.

[pabletec]

this is not a random website, this is "the browxy" site

[TheDong]

I find it bizarre that you have exactly 3 comments in 5 years, all of which are on dbremmen's posts, who happens to be the creator of browxy [0].

Forgive me if I don't trust my password generation on the servers of someone who is either sock-puppeting, or having a friend do something that does not look all that different.

Even if I trust the person who runs the browxy website and servers, I don't trust my password generation to a multi-tenet environment. Browxy is running this code in docker containers on a machine with many other docker containers running arbitrary user-submitted code. The intel vulnerabilities over the past year or so have made it incredibly clear that running sensitive code on the same CPU as totally untrusted and possibly malicious code is a dangerous proposition and there are numerous potential side channels to exfiltrate data.

Trusting password generation to a website that generates passwords on a shared machine is even worse than the usual password generation website which at least uses javascript/securerandom to do it on my CPU.

[0]: https://news.ycombinator.com/item?id=11719439

[oefrha]

If you look at submissions of these two accounts it’s even worse.

[dbremmen]

Yes you right I just created this password generator for fun in the browxy online compiler. The UI is auto-generated with a tool that the site provide. I'm just curious why this tool caused so many interest and wondering what other tools can be built that cause this type of interest...