pass generates very weak passwords with busybox's tr

Daniel Janus dj at danieljanus.pl
Tue Jul 16 21:09:07 CEST 2019


Hi,

I'm using pass 1.7.3 (on Alpine 3.10) and I've recently noticed that
`pass generate` seems to generate very weak passwords on a default
installation. Here are a few random passwords generated by
`pass generate -c 12`:

    ]hhgh][[]r[g
    ph[:::hpp:p[
    hg]:aaaghp]]

Needless to say, I'm not very impressed: these appear to be generated
using a very limited character set. Interestingly, when specifying `-n`,
passwords are as random as expected.

I've tracked it down to the fact that my `tr` was coming from Busybox.
After installing coreutils, `pass generate -c` without `-n` works as
expected. Observe what happens when you manually execute the line in
pass that actually generates passwords (L518 as of pass 1.7.3):

    $ read -r -n 12 pass < <(LC_ALL=C tr -dc '[:graph:]' < /dev/urandom); echo $pass
    G]6>]U^DbR'z
    $ read -r -n 12 pass < <(LC_ALL=C busybox tr -dc '[:graph:]' < /dev/urandom); echo $pass
    ]rgaa][::aar

Clearly, Busybox's `tr` doesn't support the `[:graph:]` character
class. Instead, it's taking those 9 characters (8 distinct) as a
character set. It does support `[:alnum:]`, which is why `-n` works
as expected.

Given that Busybox's focus is on size and essential features, and
character classes are arguably not essential, I doubt whether this
will be changed upstream. Instead, I think this should be tackled in
pass. Either it should check for Busybox's tr and reject running with
it outright, or spell out the default character set in full, rather
than as a character class.

Either way, if you've been generating your passwords on a system where
`tr` comes from Busybox, it's wise to change them immediately.

Thanks,
Daniel


More information about the Password-Store mailing list