On Mon, 19 Jun 2017 07:37:35 +0200 Heinz Diehl <htd+ml@xxxxxxxxxx> wrote: > Pwgen uses /dev/urandom, so the statement that those passwords are > less secure than "fully" random passwords (define "fully random"..) is > merely of academical nature. The man page says they are modified to be more memorable, by some definition, and so are less than compeletely random. ...generates passwords which are designed to be easily memorized by humans, while being as secure as possible. Human-memorable passwords are never going to be as secure as completely random passwords. ... I suppose if someone knew I had used pwgen, and incorporated that pattern knowledge into their attack, that might be true. But to an ignorant attacker, these are effectively random passwords. Or more importantly, crpytographically secure passwords, since 'password' is a perfectly legitimate random 8 character string, but not a crpytographically secure 8 character string. I'm glad to learn that pwgen uses /dev/urandom. That is probably the best solution on a linux system, especially if a hardware random number generator is feeding entropy into /dev/random, as excess entropy will be fed into /dev/urandom, enhancing its unpredictability. > In case of any doubt, you can always do something like > > head /dev/random | tr -dc A-Za-z0-9 | head -c X > > where X is your password length. Tr also lets you tailor the > characterset used. Neat solution. I like all the predefined character classes for tr. And it lends itself nicely to a script. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
