[pass] Provide symbol set as command line argument

Kenny Evitt kenny.evitt at gmail.com
Wed Nov 9 17:56:17 CET 2016 

Replacing `pwgen` shouldn't be a big deal. The only Pass command that uses
it is `generate` and the only options passed to are whether to include
symbols and the length of the password.

Incidentally, I cobbled together a handy way of generating arbitrary
passwords of any length using only specific special characters. It should
work on most any Unix or Unix-like system. Here's an example for generating
a password of 32 characters with only a limited set of special characters:

```
head /dev/urandom | tr -dc 'A-Za-z0-9!@#$%^&*()' | head -c 32 && echo
```

Here's an example with all of the OWASP special characters, which would be
a good default if no set of { symbols / special characters } are specified:

```
head /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' |
head -c 32 && echo
```

`pwgen` by default "generates passwords which are designed to be easily
memorized by humans, while being as secure as possible". Pass hard-codes
the call to `pwgen` to use the 'secure' option which will "generate
completely random, hard-to-memorize passwords", so just reading from
*/dev/urandom* is probably just as good (and likely pretty similar to
whatever `pwgen` is doing when the secure option is specified).

Below is a patch with changes that replace `pwgen` with my above commands.

Both `apg` and `mkpasswd` have some nice options for ensuring that
passwords definitely contain certain types of characters, which is
particularly useful for passwords that need to meet certain requirements,
e.g. always include a special character.

But perhaps, instead of Pass depending directly on any particular password
generator, it simply call another specified program to do so. If some
passwords didn't (annoyingly) necessitate *excluding* certain special
characters `pwgen` should be more than good enough. But given that
generating arbitrary passwords for all of the possible sets of valid
passwords is (annoyingly) difficult, perhaps Pass shouldn't bother to try
to implement that itself beyond its current okay-ish default dependency on
`pwgen`.



```
diff --git a/src/password-store.sh b/src/password-store.sh
index 63be840..10463cb 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -16,6 +16,7 @@ PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
 X_SELECTION="${PASSWORD_STORE_X_SELECTION:-clipboard}"
 CLIP_TIME="${PASSWORD_STORE_CLIP_TIME:-45}"
 GENERATED_LENGTH="${PASSWORD_STORE_GENERATED_LENGTH:-25}"
+DEFAULT_SYMBOLS="${PASSWORD_STORE_DEFAULT_SYMBOLS:-\!\"#\$%&\'()*+,-./:;<=>?@[\]^_\`{|\}~}"

 export GIT_DIR="${PASSWORD_STORE_GIT:-$PREFIX}/.git"
 export GIT_WORK_TREE="${PASSWORD_STORE_GIT:-$PREFIX}"
@@ -235,8 +236,8 @@ cmd_usage() {
                overwriting existing password unless forced.
            $PROGRAM edit pass-name
                Insert a new password or edit an existing password using
${EDITOR:-vi}.
-           $PROGRAM generate [--no-symbols,-n] [--clip,-c] [--in-place,-i
| --force,-f] pass-name [pass-length]
-               Generate a new password of pass-length (or
$GENERATED_LENGTH if unspecified) with optionally no symbols.
+           $PROGRAM generate [--clip,-c] [--in-place,-i | --force,-f]
pass-name [pass-length] [symbols]
+               Generate a new password of pass-length (or
$GENERATED_LENGTH if unspecified) with optional set of symbols to use (or
$DEFAULT_SYMBOLS if unspecified).
                Optionally put it on the clipboard and clear board after
$CLIP_TIME seconds.
                Prompt before overwriting existing password unless forced.
                Optionally replace only the first line of an existing file
with a new password.
@@ -431,21 +432,21 @@ cmd_edit() {
 }

 cmd_generate() {
-       local opts clip=0 force=0 symbols="-y" inplace=0
-       opts="$($GETOPT -o ncif -l no-symbols,clip,in-place,force -n
"$PROGRAM" -- "$@")"
+       local opts clip=0 force=0 inplace=0
+       opts="$($GETOPT -o cif -l clip,in-place,force -n "$PROGRAM" --
"$@")"
        local err=$?
        eval set -- "$opts"
        while true; do case $1 in
-               -n|--no-symbols) symbols=""; shift ;;
                -c|--clip) clip=1; shift ;;
                -f|--force) force=1; shift ;;
                -i|--in-place) inplace=1; shift ;;
                --) shift; break ;;
        esac done

-       [[ $err -ne 0 || ( $# -ne 2 && $# -ne 1 ) || ( $force -eq 1 &&
$inplace -eq 1 ) ]] && die "Usage: $PROGRAM $COMMAND [--no-symbols,-n]
[--clip,-c] [--in-place,-i | --force,-f] pass-name [pass-length]"
+       [[ $err -ne 0 || ( $# -ne 3 && $# -ne 2 && $# -ne 1 ) || ( $force
-eq 1 && $inplace -eq 1 ) ]] && die "Usage: $PROGRAM $COMMAND [--clip,-c]
[--in-place,-i | --force,-f] pass-name [pass-length] [symbols]"
        local path="$1"
        local length="${2:-$GENERATED_LENGTH}"
+       local symbols="${3:-$DEFAULT_SYMBOLS}"
        check_sneaky_paths "$path"
        [[ ! $length =~ ^[0-9]+$ ]] && die "Error: pass-length \"$length\"
must be a number."
        mkdir -p -v "$PREFIX/$(dirname "$path")"
@@ -454,7 +455,7 @@ cmd_generate() {

        [[ $inplace -eq 0 && $force -eq 0 && -e $passfile ]] && yesno "An
entry already exists for $path. Overwrite it?"

-       local pass="$(pwgen -s $symbols $length 1)"
+       local pass="$(head /dev/urandom | tr -dc "A-Za-z0-9$symbols" | head
-c "$length" && echo)"
        [[ -n $pass ]] || exit 1
        if [[ $inplace -eq 0 ]]; then
                $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile"
"${GPG_OPTS[@]}" <<<"$pass" || die "Password encryption aborted."
```

On Tue, Nov 8, 2016 at 5:23 PM, Diego Depaoli <trebestie at gmail.com> wrote:

> I agree.
> This is not a big issue, but sometimes limited pwgen features are annoying.
> Could apg or makepassword bè reliable replacements?
>
> My best regards
>
> Il mar 8 nov 2016 20:55 Michael Hoff <mail at michael-hoff.net> ha scritto:
>
> Hello,
>
> first of all: Really nice project!
>
> I very often encounter the problem that services do not allow all symbols
> used by pass/pwgen.
> "Your password has to contain at least one of the following symbols
> '*#_!'" (e.g. '<' is forbidden)
>
> This does hinder my work-flow as I have to manually adapt the password to
> match the criteria.
>
> Straight-forward solution to this problem would be to provide the symbol
> set via optional command line argument to the generate command.
>
> Example: pass generate *-s "*#_!"* path/to/password 20
>
> I already checked man page and source code of pwgen. Unfortunately this
> feature is not provided out of the box.
>
> I see multiple possible solutions to this:
> - Exchange pwgen with apg (possibly massive side-effects)
> - Extend pwgen
> - Let pass itself convert unwanted symbols generated by pwgen (hacky)
>
> What do you think?
>
> Cheers,
> Michael Hoff
>
> --
> S/MIME and PGP (0xA79D31C0) supportedhttps://michael-hoff.net
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
> --
> Diego Depaoli
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161109/ce78b555/attachment.html>

More information about the Password-Store mailing list