Hi Brian, Thanks for your feedback.
On Sun, Dec 18, 2016 at 5:29 PM, Brian Candler <b.cand...@pobox.com> wrote: > Well firstly, it doesn't even work under OSX. I tried this: > ./badpass.sh: line 4: read: -N: invalid option > tr: Illegal byte sequence > read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" < /dev/urandom) > And now it works: Thanks! Fixed. Good catch and good solution. > But more seriously, there is the risk that this will consume a pipe-buffer > (4KB? 8KB?) of entropy, only to discard most of it. That's extremely > wasteful. Reading from /dev/urandom has no affect on /proc/sys/kernel/random/entropy_avail on Linux. Does it have affect on any other platforms? > Furthermore, despite consuming so much entropy, it doesn't even guarantee > that every password generated has at least one upper-case, lower-case, digit > and symbol - i.e. the password may still be rejected by many websites! I don't think this is a problem in practice. The way most pass users operate is if they can get away with it, they use the default generate that includes some symbols. If they can't, they fall back to --no-symbols. If a site has some bizarre requirements, they just tweak whatever the high-entropy output from generate was with some addition of required characters. > I think we need a pluggable password generator, so at least we don't have to > argue and people can use whatever generator they prefer. And as for a > default, well pwgen is (in my opinion) better than the one in that patch. Next release of pass will be generally pluggable, so I'll consider this. Jason _______________________________________________ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store