Hi, I want to bring up the question:
Is this something that pass needs? Or, more crass: should it offer this feature or should it be considered harmful? The point of pass, or any password manager, is not having to remember or even know your password. The default character set of pass has 31+26+26+10 = 93 characters, the alphanumeric has at least 62. Assuming a 6-word diceware password (approx. 30 characters) has 7776^6 ~ 10^23 combinations, a password created with the default password set of the same length has 10^59 combinations, or 10^53 for the alphanumeric character set. Assuming the use cases stated above (not having to ever remember your password), using a diceware password just for a "nice looking" password would sacrifice entropy somewhere between 10^30 and 10^36, bringing it down to the complexity of a 12-character password with the default character set. I do not think this should be encouraged in any way. Of course, there is nothing speaking against saving a diceware password that has been generated elsewhere in pass - as a fallback, in case one forgets it. But this is an edge use case, not a core use case and the stance on edge use cases has always been that there * are other unix tools for it * can always be a pass extension to offer it for those users that want it in pass What are other people's opinions on this? Regards, Lenz On 10/30/18 6:00 AM, Adhityaa Chandrasekar wrote: > --- > man/pass.1 | 17 ++++++++++------- > src/password-store.sh | 16 +++++++++++----- > 2 files changed, 21 insertions(+), 12 deletions(-) > > This is my first time contributing to pass as a long-time user. In this > patch, I'm adding support for XKCD-style passwords [1] composed of words > from a wordlist. Since there is no standardised location for a > dictionary of words, the user has to specify a path to a file with the > --wordlist argument. > > I don't know much bash/zsh/fish completions, so I'm afraid someone else > will have to help with that. > > [1] https://xkcd.com/936/ > > - Adhityaa > > diff --git a/man/pass.1 b/man/pass.1 > index 01a3fbe..72a83fc 100644 > --- a/man/pass.1 > +++ b/man/pass.1 > @@ -122,15 +122,18 @@ ensure that temporary files are created in > \fI/dev/shm\fP in order to avoid writ > difficult-to-erase disk sectors. If \fI/dev/shm\fP is not accessible, > fallback to > the ordinary \fITMPDIR\fP location, and print a warning. > .TP > -\fBgenerate\fP [ \fI--no-symbols\fP, \fI-n\fP ] [ \fI--clip\fP, \fI-c\fP ] [ > \fI--in-place\fP, \fI-i\fP | \fI--force\fP, \fI-f\fP ] \fIpass-name > [pass-length]\fP > +\fBgenerate\fP [ \fI--no-symbols\fP, \fI-n\fP ] [ \fI--wordlist > /path/to/wordlist\fP, \fI-w /path/to/wordlist\fP ][ \fI--clip\fP, \fI-c\fP ] > [ \fI--in-place\fP, \fI-i\fP | \fI--force\fP, \fI-f\fP ] \fIpass-name > [pass-length]\fP > Generate a new password using \fB/dev/urandom\fP of length \fIpass-length\fP > (or \fIPASSWORD_STORE_GENERATED_LENGTH\fP if unspecified) and insert into > -\fIpass-name\fP. If \fI--no-symbols\fP or \fI-n\fP is specified, do not use > -any non-alphanumeric characters in the generated password. The character > sets used > -in generating passwords can be changed with the > \fIPASSWORD_STORE_CHARACTER_SET\fP and > -\fIPASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS\fP environment variables, > described below. > -If \fI--clip\fP or \fI-c\fP is specified, do not print the password but > instead copy > -it to the clipboard using > +\fIpass-name\fP. If \fI--no-symbols\fP or \fI-n\fP is specified, do not use > any > +non-alphanumeric characters in the generated password. If \fI--wordlist\fP is > +specified, along with a file as argument containing a list of words to choose > +from, four words will be randomly chosen and used as password. The character > +sets used in generating passwords can be changed with the > +\fIPASSWORD_STORE_CHARACTER_SET\fP and > +\fIPASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS\fP environment variables, > described > +below. If \fI--clip\fP or \fI-c\fP is specified, do not print the password > but > +instead copy it to the clipboard using > .BR xclip (1) > and then restore the clipboard after 45 (or \fIPASSWORD_STORE_CLIP_TIME\fP) > seconds. If \fI--qrcode\fP > or \fI-q\fP is specified, do not print the password but instead display a QR > code using > diff --git a/src/password-store.sh b/src/password-store.sh > index d89d455..2778c26 100755 > --- a/src/password-store.sh > +++ b/src/password-store.sh > @@ -491,12 +491,13 @@ cmd_edit() { > } > > cmd_generate() { > - local opts qrcode=0 clip=0 force=0 characters="$CHARACTER_SET" > inplace=0 pass > - opts="$($GETOPT -o nqcif -l no-symbols,qrcode,clip,in-place,force -n > "$PROGRAM" -- "$@")" > + local opts qrcode=0 clip=0 force=0 characters="$CHARACTER_SET" > wordlist=0 inplace=0 pass > + opts="$($GETOPT -o nw:qcif -l > no-symbols,wordlist:,qrcode,clip,in-place,force -n "$PROGRAM" -- "$@")" > local err=$? > eval set -- "$opts" > while true; do case $1 in > -n|--no-symbols) characters="$CHARACTER_SET_NO_SYMBOLS"; shift > ;; > + -w|--wordlist) wordlist=$2; shift; shift ;; > -q|--qrcode) qrcode=1; shift ;; > -c|--clip) clip=1; shift ;; > -f|--force) force=1; shift ;; > @@ -504,7 +505,7 @@ cmd_generate() { > --) shift; break ;; > esac done > > - [[ $err -ne 0 || ( $# -ne 2 && $# -ne 1 ) || ( $force -eq 1 && $inplace > -eq 1 ) || ( $qrcode -eq 1 && $clip -eq 1 ) ]] && die "Usage: $PROGRAM > $COMMAND [--no-symbols,-n] [--clip,-c] [--qrcode,-q] [--in-place,-i | > --force,-f] pass-name [pass-length]" > + [[ $err -ne 0 || ( $# -ne 2 && $# -ne 1 ) || ( $force -eq 1 && $inplace > -eq 1 ) || ( $qrcode -eq 1 && $clip -eq 1 ) ]] && die "Usage: $PROGRAM > $COMMAND [--no-symbols,-n] [--wordlist,-w /path/to/wordlist] [--clip,-c] > [--qrcode,-q] [--in-place,-i | --force,-f] pass-name [pass-length]" > local path="$1" > local length="${2:-$GENERATED_LENGTH}" > check_sneaky_paths "$path" > @@ -517,8 +518,13 @@ cmd_generate() { > > [[ $inplace -eq 0 && $force -eq 0 && -e $passfile ]] && yesno "An entry > already exists for $path. Overwrite it?" > > - read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" < > /dev/urandom) > - [[ ${#pass} -eq $length ]] || die "Could not generate password from > /dev/urandom." > + if [[ "$wordlist" != "" ]]; then > + pass=$(shuf -n 4 "$wordlist" | paste -sd "-" -) > + else > + read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" < > /dev/urandom) > + [[ ${#pass} -eq $length ]] || die "Could not generate password > from /dev/urandom." > + fi > + > if [[ $inplace -eq 0 ]]; then > echo "$pass" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o > "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > else > _______________________________________________ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
