pass generates very weak passwords with busybox's tr

Daniel Janus dj at danieljanus.pl
Wed Jul 17 09:51:51 CEST 2019


On Tue, Jul 16, 2019 at 09:44:30PM +0200, Allan Odgaard wrote:

> Btw: Since they support both alnum and punct, I think you can use this:
>
>     read -r -n 12 pass < <(LC_ALL=C tr -dc '[:punct:][:alnum:]' < /dev/urandom); echo $pass

That does indeed work.

> Maybe submit a PR and see what Jason says.
>
> But I think it would be better to submit a PR toward BusyBox’s tr
> implementation.

I actually think it'd be beneficial to do both. Even when BusyBox gets
patched, propagating that patch to end users will take time. Plus,
there are other implementations. In fact, I've spot-checked a few:

- macOS's tr: I have no access to a Mac ATM, but the documentation
  mentions `[:graph:]`, so presumably it works.
- Heirloom Project's tr: `[:graph:]` works.
- Toybox: tr is not built by default, but an implementation is present
  in the `pending` directory. Same situation as with Busybox: it doesn't
  support `[:graph:]`, but the `[:punct:][:alnum:]` trick works.

Thanks,
Daniel


More information about the Password-Store mailing list