[PATCH] stop using pwgen

Simon Lackerbauer simon at lackerbauer.com
Sun Dec 18 18:13:12 CET 2016


On 12/18/2016 05:54 PM, ilf wrote:
> Brian Candler:
>> Furthermore, despite consuming so much entropy, it doesn't even
>> guarantee that every password generated has at least one upper-case,
>> lower-case, digit and symbol - i.e. the password may still be rejected
>> by many websites!
> 
> Websites that impose such complexity requirements are not following the
> NIST Digital Authentication Guidelines:

Yeah, but that's beside the point. If the majority of websites
(including really big sites), impose such requirements, then they'll
impose such requirements until the time they stop doing it. Rejecting
reality won't get you far in that case.

But, like Jason said, most users will get around those requirements by
just kinda randomly inserting a number or upper-case letter into the
generated password. Especially considering the likely userbase of pass,
the proposed process should generally suffice.

-- 
www.lackerbauer.com
8A86 BD14 1859 44F2 5B83  6908 4B81 EE5D 6A56 A4DE


More information about the Password-Store mailing list