[Toybox] [New Toy] pwgen

enh enh at google.com
Tue Dec 8 10:38:08 PST 2020 

On Mon, Dec 7, 2020 at 11:38 PM Rob Landley <rob at landley.net> wrote:

>
>
> On 12/8/20 12:40 AM, enh wrote:
> >
> >
> > On Mon, Dec 7, 2020 at 9:07 PM Rob Landley <rob at landley.net
> > <mailto:rob at landley.net>> wrote:
> >
> >     On 12/7/20 10:52 PM, Rob Landley wrote:
> >     > Hmmm, this is producing a LOT more capital letters than the other
> version,
> >     which
> >     > also falls under "human readable affordance". let's see... Top bit
> of entropy
> >     > per byte isn't really used, so I'll squelch capitals when it's
> set. (That
> >     should
> >     > make 1/4 of letters capital.)
> >     ...
> >     > That's still a very different character distribution. He's
> squelching more
> >     > capitals than I am, and at least half the punctuation...
> >
> >     Forgot to mention I used the same high bit squelch trick to suppress
> half the
> >     punctuation. The result still has more punctuation on average yet
> isn't
> >     guaranteed to have punctuation in EACH generated password, but...
> >
> >     > Which is... eh? Close enough?
> >
> >     Checked in the cleanup, and promoted it to toys/other.
> >
> >     I note that -s isn't hooked up to anything. Maybe I should make it
> disable the
> >     two squelches? Yeah, I'll do that...
> >
> >
> > i think that the toybox implementation is effectively "always -s"
> because it's
> > just using random characters, and not doing the "pronounceable" bit. try
> reading
> > out your own example:
>
> A) first I've heard of it (I didn't use this command before and was just
> cleaning up the submission based on what it was already doing),
>
> B) pronounceable?
>
> wa quote zo nine ea?
>
> tu capital-n g right square bracket seven e?
>
> eja left parentheses X 5 ee?
>
> > $ pwgen -y
> > Eegae:B9 pee3Boh{ Hie~j3Lu aew)a3Jo zae'Cho5 quah!Ph5 EJa(X5Ee zui7Aez)
> > Too2Ed)o kap.ae4L ahj$i8Se Aile-ch4 nah+w3Ea wa"Zo9ea Shu4dae+ tuNg]u7e
> > giY!oc9o duG5eiz- sahc7eS* ooPi at z0e eX7nei_d iV/ae1se eiQu4om^ Ni>pig1o
> >
> > and then try to read the toybox ones out instead:
> >
> > $ toybox pwgen -y
> > p:Q1$h=C h6W`ieZ< Q`o!b|+) 1apBp}nT er at 7mKgi waAqC[7i v<y\:jzt [#o=Nw7w
> > tx1^1Uo[ o`B]y84{ wjdsl>%n R=<h[*0" #m*+(z!( qbZf,3h) fs&oc1C0 `?#-sstC
> > r`mR{ht{ i%g'FA$> ofy=#t}7 rCRWEmlq 7A;/`|}= rvqv|swe wT\z-(sw ,Cr*y6c.
> >
> > i suspect the real thing is meant to be something more
> > like https://nvlpubs.nist.gov/nistpubs/Legacy/FIPS/fipspub181.pdf ?
> >
> > the interesting bit seems to be:
> >
> > /*
> > * Generate next unit to password, making sure that it follows
> > * these rules:
> > * 1. Each syllable must contain exactly 1 or 2 consecutive
> > * vowels, where y is considered a vowel.
> > * 2. Syllable end is determined as follows:
> > * a. Vowel is generated and previous unit is a
> > * consonant and syllable already has a vowel. In
> > * this case, new syllable is started and already
> > * contains a vowel.
> > * b. A pair determined to be a "break' pair is encountered.
> > * In this case new syllable is started with second unit
> > * of this pair.
> > * c. End of password is encountered.
> > * d. "begin" pair is encountered legally. New syllable is
> > * started with this pair.
> > * e. "end" pair is legally encountered. New syllable has
> > * nothing yet.
> > * 3. Try generating another unit if:
> > * a. third consecutive vowel and not y.
> > * b. "break" pair generated but no vowel yet in current
> > * or previous 2 units are "not_end .
> > * c. "begin" pair generated but no vowel in syllable
> > * preceding begin pair, or both previous 2 pairs are
> > * designated "not_end".
> > * d. "end" pair generated but no vowel in current syllable
> > * or in "end" pair.
> > * e. "not_begin" pair generated but new syllable must
> > * begin (because previous syllable ended as defined in
> > * 2 above).
> > * f. vowel is generated and 2a is satisfied, but no syllable
> > * break is possible in previous 3 pairs.
> > * g. Second and third units of syllable must begin, and
> > * first unit is "altemate_vowel".
> > */
>
> [Reads the above three times. Remains unenlightened.]
>
> Given that I've been failing to learn japanese for almost 5 years
> including 20
> minutes on it earlier today, if I _should_ do something like this I'd
> probably
> just program in the hiragana syllabary and have it pick from there instead
> of
> letters, then output romanji. :)
>
> The resulting loss of entropy in 8 chars is still a thing though. And
> where to
> throw in the random capitalizations... (I'd say a capital number is
> something
> from the punctuation list except the puncuation list is over twice as
> long...)
>
> In any case, it's a complete rewrite of the password generation logic,
> although
> that's now a drop-in replacement for a tiny code block. If you think it's
> worth
> doing, I can do it...
>

i have no opinion on that, not having used either, but did think it might
be worth changing the docs to match reality:

-      -s  --secure                      Generate more random passwords.
+      -s  --secure                      Generate random passwords
(default).

i see there's also a secpwgen(1) but that seems to be slightly different
again?


> Rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20201208/892d9476/attachment-0001.html>

More information about the Toybox mailing list