I get the spirit - but this is way more convoluted than just letting 1Password generate and save everything for me in 1-2 clicks without ever leaving the browser. And as a bonus I don’t have to copy+paste it, care about where it’s stored, and it will auto-fill for me. Not to mention they just magically appear on all my devices without some home brewed syncing scheme :)
It copies passwords like `Uncertain-Postbox-Cannot5` to your clipboard. Much easier to remember/type, and just as secure. I've assigned that to a hotkey, so whenever I need a password I press Super+G, Ctrl+V, and that's it.
In that case, [:print:] instead of [:alnum:] will include all printable characters.
Although I'm pretty sure I've met websites that require brackets and ampersands but will reject, say, periods and underscores, because web developers are sociopaths.
I've never had a website outright reject certain special characters, but I've had some passwords silently accepted at signup and then rejected at login. So I usually randomize the password until it doesn't include any backslashes or asterisks...
I've had this happen on pure length. I believe KeePass defaults to 20 characters. I've seen websites accept 20 characters on sign up, but internally, the log in only accepts 12 characters, but it doesn't truncate the input either. I had to enter the first 12 characters and submit the form, and it worked.
I was completely baffled on why it was designed that way - if you're going to truncate the password, the login field should do the same.
Omg you must have incredible luck when filling out sign in forms. There must be some sort of sadistic instinct on the types of people who design password forms. I’ve had passwords rejected for being too long (over 15 characters), including the “wrong” kind of special characters, having the same character repeated twice in a row, not having enough numbers, just to name ones I can remember off the top of my head. Oh the best ones don’t tell you the rules until after you’ve been rejected.
A special place in hell is reserved for those websites that consider themselves too cool for a password manager. They actively block auto fill or cut & paste in the password field. I don’t envy the 1password devs for having to put up and work around this stuff.
Don’t get me wrong I appreciate the hacks. But I can’t exactly walk my father in law through that process when he hardly understands what a password manager is and why it’s important in the first place. Plus this doesn’t help at all on mobile.
> I've never had a website outright reject certain special characters,
This is exceedingly common for US Banks. You'll find, usually only after pasting in the newly generated random password and clicking submit, that the "your password must include at least one number and two special characters" description up front failed to also include: "oh, also, we do not allow use of the character % in your password" (or some other character).
When I created an account to take out a mortgage with a UK bank, I found they allowed up to 12 ASCII alphanumeric chars for a password. I forget if there was a min length.
This was around October 2019, so it's not like they shouldn't have know better.
This creates one password of 32 characters of reasonable classes. There are options to adjust character classes if the site enforces something like that.
`/dev/urandom` isn't a real file / stream. It's part of the 'everything is a a file' *nix mantra. Even if two users are reading from /dev/urandom simultaneously, they'll each get unique values. The CSPRNG keeps track of a sequence number and so you'll end up with something like [process 0 requests sequence 0, process 1 requests sequence 1, process 1 requests sequence 2, proceess 0 requests sequence 3...].
Is that strictly true? I know urandom doesn't block if it lacked entropy, but if it had entropy I was under the impression urandom's output was derived from that instead.
Well, a lot changed since the article. For one the test tool now eats more CPU than RNG.
From my dumb tests (run DD in one, then many threads), the 4 thread run have 4x the performance of single thread one (I have 4 core CPU), while 16 thread one have predictably same-ish total throughput, so if there are any serialization still there it is not noticeable much.