On Tue, May 04, 2021 at 03:17:10AM +0200, Christoph Anton Mitterer wrote: > On Mon, 2021-05-03 at 11:49 +0200, Marc Haber wrote: > > apg is dead upstream. We can either pull the package (forcing people > > back to pwgen, which probably has comparable issues) or document the > > issues away. > > I wouldn't pull the package - it's probably still much better to use > these passwords than anything the user comes up himself.
The ideal password generator would be a merge/crossing of apg and pwgen. I must admit that I have mostly migrated over to pwgen in the last decade, pwgen gets developed slowly, apg is dead. > And anyone doing real security will probably know that pronounceable > passwords will have less entropy unless it's something like diceware. Diceware is even less entropy per character, but it's supposed to be more easily rememberable. For me, I have grown into passwords; I find it considerably easier to memorize something like ath;aeGie0Thah4i (pwgen -y 16) than LappedAnguishedReconcilePatrolRematchStrategic (diceware). But I have a strange brain anyway. > > Would you want to provide wording for a README.Debian or an addition > > to > > the package description? > > > I would have rather written a patch that adds the information to the > manpages and gives a message to stderr when using -a 0. I agree with the manpage, the stderr message would have to obey -q. > Maybe even mentioning something like diceware to be more secure when it > goes about memorable passwords. > > Would that be okay for you? I have generated https://salsa.debian.org/debian/apg and will initialize it with the existing code within the hour. Feel free to submit a merge request if you want to help. > But even then... do you perhaps happen to have any connections to some > better security expert (maybe in the Debian security team)? > I'd would like to know whether may point (2) with the capital-letter- > must-include modes is a real thing... and whether we should warn about > that, too. I am not sure whether this might be going too far. I think everybody knows that using a password generator means less entropy than /dev/random at a price of being memorable in different degrees. A password is not a cryptographically secure key. I am afraid that I don't have any close ties to the security team. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
