[pass] generate passwords natively instead of dependency

Brian Candler b.candler at pobox.com
Tue Nov 15 11:25:18 CET 2016

On 14/11/2016 21:27, ilf wrote:
> Currently, pass depends on pwgen to generate passwords. I think it 
> would be easy and desirable to drop this dependency and generate 
> passwords natively.
> Here's a simple way to generate passwords from /dev/random directly in 
> shell:
> tr -dc "[:graph:]" < /dev/urandom | head -c 32
> We could also use "alnum" instead of "graph" and/or "base64" instead 
> of "head".
> I really see no reason to add an extra dependency, just for its single 
> use on line 457 of src/password-store.sh.
> Also, we gain being in control of (and responsible) of password 
> generation ourselves. In the past, there have been issues with pwgen 
> using low-entopy:
> http://www.openwall.com/lists/oss-security/2012/01/22/6
> http://www.openwall.com/lists/oss-security/2013/05/24/7
> What do you think? 

I think whatever is done won't satisfy everyone, so it needs to be 
easily pluggable.  I would prefer not in an environment variable - but 
that would probably mean introducing a config file, either in the user's 
home directory, or inside the repo itself (like .gpg-id)

More information about the Password-Store mailing list