[pass] generate passwords natively instead of dependency
Brian Candler
b.candler at pobox.com
Tue Nov 15 11:25:18 CET 2016
On 14/11/2016 21:27, ilf wrote:
> Currently, pass depends on pwgen to generate passwords. I think it
> would be easy and desirable to drop this dependency and generate
> passwords natively.
>
> Here's a simple way to generate passwords from /dev/random directly in
> shell:
>
> tr -dc "[:graph:]" < /dev/urandom | head -c 32
>
> We could also use "alnum" instead of "graph" and/or "base64" instead
> of "head".
>
> I really see no reason to add an extra dependency, just for its single
> use on line 457 of src/password-store.sh.
>
> Also, we gain being in control of (and responsible) of password
> generation ourselves. In the past, there have been issues with pwgen
> using low-entopy:
> http://www.openwall.com/lists/oss-security/2012/01/22/6
> http://www.openwall.com/lists/oss-security/2013/05/24/7
>
> What do you think?
I think whatever is done won't satisfy everyone, so it needs to be
easily pluggable. I would prefer not in an environment variable - but
that would probably mean introducing a config file, either in the user's
home directory, or inside the repo itself (like .gpg-id)
More information about the Password-Store
mailing list