[PATCH] stop using pwgen

Antoine Beaupré anarcat at debian.org
Sun Dec 18 16:53:09 CET 2016


On 2016-12-18 10:15:40, Daniel Dörrhöfer wrote:
> So why not fix pwgen? Remember the unix philosophy »tools should *do one
> thing*, and *do* it well«.
> If you think you can do a better job, then you should fork it.

I don't believe I can convince the pwgen maintainers to change the
primary goal of the program, which is, according to the manpage:

       pwgen - generate pronounceable passwords

I don't think that a password manager should generate "pronouncable
passwords". It should generate passwords that are difficult to guess and
easy to transfer, they do not need to be "pronouncable".

Even if one would *want* pronouncable passwords, pwgen is notoriously
bad at doing that: the passwords it generates are of low
entropy, as I mentionned in the commitlog:

http://www.openwall.com/lists/oss-security/2012/01/22/6

Besides, why would you want "pronouncable" passwords? I would rather
have "memorable" passwords, and those are better generated by
"xkcd-style" password generators like diceware and others I mentionned
previously as well.

So I don't think I want to fork pwgen - that seems like a failed
entreprise, especially since there are trivial ways of generating
passwords out there in various languages: it's a 3 element pipeline in
bash, 3 lines of code in Python - why would we need to fork(2) in some
other codebase we don't control?

I didn't want to get dragged into a whole critique of pwgen. I think
it's fine the project is out there, it's just our specific use case that
is not a good fit for it.

A.

-- 
The world is a dangerous place, not because of those who do evil,
but because of those who look on and do nothing.
                        - Albert Einstein


More information about the Password-Store mailing list