On Mon, Dec 7, 2020 at 9:07 PM Rob Landley <r...@landley.net> wrote: > On 12/7/20 10:52 PM, Rob Landley wrote: > > Hmmm, this is producing a LOT more capital letters than the other > version, which > > also falls under "human readable affordance". let's see... Top bit of > entropy > > per byte isn't really used, so I'll squelch capitals when it's set. > (That should > > make 1/4 of letters capital.) > ... > > That's still a very different character distribution. He's squelching > more > > capitals than I am, and at least half the punctuation... > > Forgot to mention I used the same high bit squelch trick to suppress half > the > punctuation. The result still has more punctuation on average yet isn't > guaranteed to have punctuation in EACH generated password, but... > > > Which is... eh? Close enough? > > Checked in the cleanup, and promoted it to toys/other. > > I note that -s isn't hooked up to anything. Maybe I should make it disable > the > two squelches? Yeah, I'll do that... >
i think that the toybox implementation is effectively "always -s" because it's just using random characters, and not doing the "pronounceable" bit. try reading out your own example: $ pwgen -y Eegae:B9 pee3Boh{ Hie~j3Lu aew)a3Jo zae'Cho5 quah!Ph5 EJa(X5Ee zui7Aez) Too2Ed)o kap.ae4L ahj$i8Se Aile-ch4 nah+w3Ea wa"Zo9ea Shu4dae+ tuNg]u7e giY!oc9o duG5eiz- sahc7eS* ooPi@z0e eX7nei_d iV/ae1se eiQu4om^ Ni>pig1o and then try to read the toybox ones out instead: $ toybox pwgen -y p:Q1$h=C h6W`ieZ< Q`o!b|+) 1apBp}nT er@7mKgi waAqC[7i v<y\:jzt [#o=Nw7w tx1^1Uo[ o`B]y84{ wjdsl>%n R=<h[*0" #m*+(z!( qbZf,3h) fs&oc1C0 `?#-sstC r`mR{ht{ i%g'FA$> ofy=#t}7 rCRWEmlq 7A;/`|}= rvqv|swe wT\z-(sw ,Cr*y6c. i suspect the real thing is meant to be something more like https://nvlpubs.nist.gov/nistpubs/Legacy/FIPS/fipspub181.pdf ? the interesting bit seems to be: /* * Generate next unit to password, making sure that it follows * these rules: * 1. Each syllable must contain exactly 1 or 2 consecutive * vowels, where y is considered a vowel. * 2. Syllable end is determined as follows: * a. Vowel is generated and previous unit is a * consonant and syllable already has a vowel. In * this case, new syllable is started and already * contains a vowel. * b. A pair determined to be a "break' pair is encountered. * In this case new syllable is started with second unit * of this pair. * c. End of password is encountered. * d. "begin" pair is encountered legally. New syllable is * started with this pair. * e. "end" pair is legally encountered. New syllable has * nothing yet. * 3. Try generating another unit if: * a. third consecutive vowel and not y. * b. "break" pair generated but no vowel yet in current * or previous 2 units are "not_end . * c. "begin" pair generated but no vowel in syllable * preceding begin pair, or both previous 2 pairs are * designated "not_end". * d. "end" pair generated but no vowel in current syllable * or in "end" pair. * e. "not_begin" pair generated but new syllable must * begin (because previous syllable ended as defined in * 2 above). * f. vowel is generated and 2a is satisfied, but no syllable * break is possible in previous 3 pairs. * g. Second and third units of syllable must begin, and * first unit is "altemate_vowel". */ And yes, I should rename janice[]. When I'm tired all the names I choose for > things tend to be pop culture references, I.E. my first answer to the > question > raised by its name, ala what should I call the ps -o fields? "struct > strawberry". In this case the question was "which rand" since "int rand;" > was > already the index into the buffer of random numbers returned by > xgetrandom() > when I yanked toybuf out from under it to construct the password into, so I > needed a new buffer to hold random data and the obvious answer was the > star trek > character. (Could have gone with the old NSA front corporation but... no.) > > The question I SHOULD be answering for these names is "what will be > easiest for > other people to understand", and I usually go back and replace them later. > > And yes sizeof(janice) was an issue because more system calls is bad (it's > slow > and I'm never 100% sure there isn't some ptrace exploit for some subtle > side > channel attack or data exfiltration or something), but draining the entropy > buffer more than necessary is bad. So I compromised at twice the default > password size, not _entirely_ arbitrarily because I vaguely remembered > something > about the internal kernel hash plumbing that implements /dev/urandom > working in > block sizes bigger than 64 bits (8 bytes), so the kernel's doing the work > to > prepare at least much buffer each time even when it mixes those bits back > in > because it didn't send them to userspace. (I'm using urandom which doesn't > do > the "we're out of REAL entropy, block until more comes in" accounting, but > it's > still not a good idea to waste it. I _could_ look up what the current hash > granularity is for whatever they've redone the plumbing to this year, but > it > would only change again and being asked for one 8 character password is > just > enough of a common case (pwgen -1) that fetching twice that much seemed > the most > I could excuse anyway. Hand wave, hand wave, jazzhands.) > > Rob > _______________________________________________ > Toybox mailing list > Toybox@lists.landley.net > http://lists.landley.net/listinfo.cgi/toybox-landley.net >
_______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net