1. 11
  1.  

  2. 13

    I might be truly paranoid but using a tool labelled as “secure” by NSA and offered to the public looks like an attempt at pushing a backdoor to the public. This reminds me of Operation Trojan Shield held by the FBI.

    Has anyone done a full audit of this code somewhere ? If it’s “legit”, it could be nice to know where they seed their randomness from to ensure the security of the result.

    Edit: Found my answer in the README :

    The foundation of RandPassGenerator is an implementation of the NIST SP800-90 HashDRBG. It uses entropy, carefully gathered from system sources, to generate quality random output. The internal strength of the DRBG is 192 bits, according to NIST SP800-57, using the SHA-384 algorithm. In accordance with SP800-90, the DRBG is seeded with at least 888 bits of high quality entropy from entropy sources prior to any operation.

    This implementation uses the seed mechanism of the Java SecureRandom class for gathering entropy.

    1. 9

      It warms my heart that they checked their editor backup files into git.

      1. 2

        Someone doesn’t have their personal gitignore settings configured correctly.

        I have, among a lot of, things this in my .config/git/ignore:

        [#]*[#]
        *~
        

        The complete file as part of my dotfiles: https://gitlab.com/youRFate/dotfiles/-/blob/master/git/.config/git/ignore

        1. 2

          I just configure Emacs to autosave numbered versions to a separate directory.

          1. 3

            Yes, I have that set up too, but I sometimes use different editors like mg (https://homepage.boetes.org/software/mg/) on remote systems which I typically don’t configure.

      2. 6
        1. 3

          I used to use https://linux.die.net/man/1/apg, but now I use the generator built-in to my password management system.

        2. 5

          What’s wrong with base32 < /dev/urandom | head -c 32 | tr '[:upper:]' '[:lower:]' ?

          160 bits of entropy (5 per char) while being easy to type (no special chars etc - though most sites will make you add one).

          1. 2
            $ base32 < /dev/urandom | head -c 32 | tr A-M a-m | sed 's/..../&-/g;s/-$//'; echo 
             QWP5-liQN-mmUX-2kX7-kYkW-WchN-SR5O-3QXY
            
            1. 3

              dd if=/dev/random|tr -cd '\x21-\x7e'|dd bs=1 count=16 status=none;echo

              I have noticed that for some things it lets too much through, but in those cases the filter can always be modified.

          2. 5

            I just use the generator built into bitwarden to generate all passwords I use.

            1. 3

              I’m working on this tool that you can pass a RegEx and it spits out random words matching that regex: Passgen. It also supports wordlists and using markov chains to generate pronounceable words (by loading a wordlist that matches the language you want to generate pronounceable words for). Feel free to give that a try some time I’d love some feedback!