[PATCH] stop using pwgen

Leho Kraav leho at kraav.com
Tue Dec 20 14:44:28 CET 2016


On Tue, Dec 20, 2016 at 02:29:01PM +0100, ilf wrote:
> Kjetil Torgrim Homme:
> > sometimes you have to enter passwords by hand
> 
> If that's your use-case, it could be an option.
> 
> But that shouldn't be the default. The default use of pass is for 
> copy+paste.
> 
> So by default, generated passwords should be high-entropy instead of 
> meaningful and memorable.

Not sure these are the correct qualifications we're looking for. I
have been in Kjetil's use case scenario multiple times, here's the
conclusion:

* meaningful - not important
* memorable - not important
* readable - important
* lengthy - important

Is there a meaningful security difference between jibberish and a
lengthy random human-readable word list sentence, with mixed-case and
numbers and all? The famous XKCD illustration addressed this adequately
for most purposes, no?


More information about the Password-Store mailing list