[PATCH] Add support for XKCD-style wordlist passwords

Kjetil Torgrim Homme kjetil.homme at redpill-linpro.com
Tue Oct 30 10:33:36 CET 2018 

Den 30. okt. 2018 08:25, skreiv Lenz Weber:
> Is this something that pass needs? Or, more crass: should it offer this
> feature or should it be considered harmful?
> 
> The point of pass, or any password manager, is not having to remember or
> even know your password.

yes, but sometimes you need to enter this password by hand.  I use horse
battery passwords when I might need to enter the password on a mobile
phone or on a console in a chilly data centre in the middle of the
night.  both of these will often have problems with strange characters
or keyboard layouts (is "&" on Shift 6 or Shift 7?  since there is often
no echo, there is no way to be sure!)

btw, here's the bash function I use to generate such pass phrases when
needed:

horse ()
{
    local lang="${1-no}" words=${2-4};
    aspell -d $lang dump master | grep --directories=skip --colour=auto
-v "['A-Z]" | tr -d \" | shuf -n $words | xargs echo;
}

(I remove words with capital letters to stick to common nouns.)

two examples:
"bensinkort stjerneforma sysselsettingsvirkningen selvforvaltningen"
"sikkerhetsmangelen nordstrandspillerens trommemaskiner tilleggsuttalelsene"

Norwegian words are quite long...

$ aspell -d no dump master | grep -v "['A-Z]" | wc
 489533  489533 6966844

average length of 13 characters.  this doesn't really help entropy,
though.  489533 distinct words give 18.9 bits of entropy each, so the
above pass phrases (of four words) have 75 bits, or 5.74e+22.  still not
a huge amount, but the attacker would have to know that this is the
method I use to make pass phrases to successfully reduce his search space.

(I do add a little more entropy to my passphrases with techniques I will
not reveal here ;-)

-- 
Kjetil T. Homme
Redpill Linpro - Changing the game

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20181030/9a7353ac/attachment-0001.asc>

More information about the Password-Store mailing list