<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 7, 2020 at 11:38 PM Rob Landley <<a href="mailto:rob@landley.net">rob@landley.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 12/8/20 12:40 AM, enh wrote:<br>
> <br>
> <br>
> On Mon, Dec 7, 2020 at 9:07 PM Rob Landley <<a href="mailto:rob@landley.net" target="_blank">rob@landley.net</a><br>
> <mailto:<a href="mailto:rob@landley.net" target="_blank">rob@landley.net</a>>> wrote:<br>
> <br>
> On 12/7/20 10:52 PM, Rob Landley wrote:<br>
> > Hmmm, this is producing a LOT more capital letters than the other version,<br>
> which<br>
> > also falls under "human readable affordance". let's see... Top bit of entropy<br>
> > per byte isn't really used, so I'll squelch capitals when it's set. (That<br>
> should<br>
> > make 1/4 of letters capital.)<br>
> ...<br>
> > That's still a very different character distribution. He's squelching more<br>
> > capitals than I am, and at least half the punctuation...<br>
> <br>
> Forgot to mention I used the same high bit squelch trick to suppress half the<br>
> punctuation. The result still has more punctuation on average yet isn't<br>
> guaranteed to have punctuation in EACH generated password, but...<br>
> <br>
> > Which is... eh? Close enough?<br>
> <br>
> Checked in the cleanup, and promoted it to toys/other.<br>
> <br>
> I note that -s isn't hooked up to anything. Maybe I should make it disable the<br>
> two squelches? Yeah, I'll do that...<br>
> <br>
> <br>
> i think that the toybox implementation is effectively "always -s" because it's<br>
> just using random characters, and not doing the "pronounceable" bit. try reading<br>
> out your own example:<br>
<br>
A) first I've heard of it (I didn't use this command before and was just<br>
cleaning up the submission based on what it was already doing),<br>
<br>
B) pronounceable?<br>
<br>
wa quote zo nine ea?<br>
<br>
tu capital-n g right square bracket seven e?<br>
<br>
eja left parentheses X 5 ee?<br>
<br>
> $ pwgen -y<br>
> Eegae:B9 pee3Boh{ Hie~j3Lu aew)a3Jo zae'Cho5 quah!Ph5 EJa(X5Ee zui7Aez)<br>
> Too2Ed)o kap.ae4L ahj$i8Se Aile-ch4 nah+w3Ea wa"Zo9ea Shu4dae+ tuNg]u7e<br>
> giY!oc9o duG5eiz- sahc7eS* ooPi@z0e eX7nei_d iV/ae1se eiQu4om^ Ni>pig1o<br>
> <br>
> and then try to read the toybox ones out instead:<br>
> <br>
> $ toybox pwgen -y<br>
> p:Q1$h=C h6W`ieZ< Q`o!b|+) 1apBp}nT er@7mKgi waAqC[7i v<y\:jzt [#o=Nw7w<br>
> tx1^1Uo[ o`B]y84{ wjdsl>%n R=<h[*0" #m*+(z!( qbZf,3h) fs&oc1C0 `?#-sstC<br>
> r`mR{ht{ i%g'FA$> ofy=#t}7 rCRWEmlq 7A;/`|}= rvqv|swe wT\z-(sw ,Cr*y6c.<br>
> <br>
> i suspect the real thing is meant to be something more<br>
> like <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/FIPS/fipspub181.pdf" rel="noreferrer" target="_blank">https://nvlpubs.nist.gov/nistpubs/Legacy/FIPS/fipspub181.pdf</a> ?<br>
> <br>
> the interesting bit seems to be:<br>
> <br>
> /*<br>
> * Generate next unit to password, making sure that it follows<br>
> * these rules:<br>
> * 1. Each syllable must contain exactly 1 or 2 consecutive<br>
> * vowels, where y is considered a vowel.<br>
> * 2. Syllable end is determined as follows:<br>
> * a. Vowel is generated and previous unit is a<br>
> * consonant and syllable already has a vowel. In<br>
> * this case, new syllable is started and already<br>
> * contains a vowel.<br>
> * b. A pair determined to be a "break' pair is encountered.<br>
> * In this case new syllable is started with second unit<br>
> * of this pair.<br>
> * c. End of password is encountered.<br>
> * d. "begin" pair is encountered legally. New syllable is<br>
> * started with this pair.<br>
> * e. "end" pair is legally encountered. New syllable has<br>
> * nothing yet.<br>
> * 3. Try generating another unit if:<br>
> * a. third consecutive vowel and not y.<br>
> * b. "break" pair generated but no vowel yet in current<br>
> * or previous 2 units are "not_end .<br>
> * c. "begin" pair generated but no vowel in syllable<br>
> * preceding begin pair, or both previous 2 pairs are<br>
> * designated "not_end".<br>
> * d. "end" pair generated but no vowel in current syllable<br>
> * or in "end" pair.<br>
> * e. "not_begin" pair generated but new syllable must<br>
> * begin (because previous syllable ended as defined in<br>
> * 2 above).<br>
> * f. vowel is generated and 2a is satisfied, but no syllable<br>
> * break is possible in previous 3 pairs.<br>
> * g. Second and third units of syllable must begin, and<br>
> * first unit is "altemate_vowel".<br>
> */<br>
<br>
[Reads the above three times. Remains unenlightened.]<br>
<br>
Given that I've been failing to learn japanese for almost 5 years including 20<br>
minutes on it earlier today, if I _should_ do something like this I'd probably<br>
just program in the hiragana syllabary and have it pick from there instead of<br>
letters, then output romanji. :)<br>
<br>
The resulting loss of entropy in 8 chars is still a thing though. And where to<br>
throw in the random capitalizations... (I'd say a capital number is something<br>
from the punctuation list except the puncuation list is over twice as long...)<br>
<br>
In any case, it's a complete rewrite of the password generation logic, although<br>
that's now a drop-in replacement for a tiny code block. If you think it's worth<br>
doing, I can do it...<br></blockquote><div><br></div><div>i have no opinion on that, not having used either, but did think it might be worth changing the docs to match reality:</div><div><br></div><div>- -s --secure Generate more random passwords.<br></div><div>+ -s --secure Generate random passwords (default).<br></div><div><br></div><div>i see there's also a secpwgen(1) but that seems to be slightly different again?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Rob<br>
</blockquote></div></div>