Add English-like/pronouncable password generation. #368
Comments
|
Thank you very much for bringing this up. IMHO this is a very good idea and we'd like to include this feature. So far we didn't find any usable password generation libraries for Go, this is why we even wrote the simple If you would like to contribute work on an advanced password generation package, that would be awesome. |
|
@dominikschulz I work on a vendorable xkcd password generator lib / standalone tool. So you can assign that to me if you want. @dominikschulz would it be ok for you guys if I reuse init() and randomInteger() from pwgen.go? I guess it's not "Substantial portion" in the sense of MIT license - so are you fine with a reference to gpass and the source file? I would put my stuff under MIT license as well. |
|
@martinhoefling Please go ahead with both proposals. Unfortunately I can't seem to assign the issue to you (https://help.github.com/articles/assigning-issues-and-pull-requests-to-other-github-users/). No need to ask for code reuse as long as you use it in open source code. |
|
https://github.com/martinhoefling/goxkcdpwgen - I would vendor the lib in gopass. Which command line options make sense? just a simple ➜ bin ./goxkcdpwgen -c -d " " Shall we ask for anything in addition to the number of words? |
|
Closed by #373 |
…passpw#373) * Vendorized and integrated xkcd password generation (gopasspw#368) * Split up in -x and -xo option for words with and without separator * Simplify code, fix linter * Refined xkcd flags and documentation, review comments addressed
Motivation: often, a password has to be communicated through a side-channel or remembered (either for the short or long run), despite being held in a password manager. For example, some of my passwords get entered on iOS where I do not currently have a method to securely use my GPG hardware token. Despite this, there are techniques to improve the communicability of passwords while still maintaining a high-degree of security.
There's a few models for discussion here.
The simplest and most common model, further constrain the character set to mostly alternate between vowels and non-vowels. This can be augmented with special characters infrequently.
The best model, the XKCD approach. We take an English (or maybe, any language) dictionary and select M words from it (with a minimum total character length of N), then assemble those words separated by a small class of characters, perhaps
_and-by default.[2], but we also mutate the English words to only be English-like. Ideas here include transmuting vowels, swapping common morphemes (this would be English-specific likely, due to the need to define a dictionary of morphemes), etc. Done right, this would generate non-words that still have communicative and memorable value, e.g.,
WelokandBomloy, combined together to produce a password likeWelok_Bomloy-Twolith.Each decision here (e.g., how frequently to have non-pronounceable characters) can have its effective entropy calculated. We should define a target entropy before embarking on any of this.
To whatever extent possible, we should defer to a password generation library that will do this for us. If a satisfactory library cannot be found, I would be interested in participating in that. I have not yet searched.
The text was updated successfully, but these errors were encountered: