-
-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate pass phrases #271
Comments
Please explain... The purpose of LessPass is to not remember generated passwords, except your one and only master-password. |
Hello @kabouzeid, @SoftwUser certain password like Windows login password or sudo password are passwords you want to memorize because:
|
Ah, maybe patterns like in Masterpassword: @guillaumevincent |
yes for sure |
Hello, sorry for no further explanation. Adding another option to generate pass phrases was what I had in mind. One could use lesspass to generate a pass phrase which one can memorize. The advantage is, that one can restore the password via lesspass if forgotten. |
I thought about doing it like this: I'm not familiar with the implementation of lesspass, so there is probably a better way to do it. |
Interesting, but wouldn't it be less secure compared to the "standard" LessPass-passwords, given that attacks against "words" would be successful much quicker than against random characters? |
Relevant xkcd: https://xkcd.com/936/ |
Be aware that a hacker will use a C program and run this on GPU hardware. So basically it will create a lot more than 1 password in 0.5s |
I have use cases similar to yours, @kabouzeid . For anyone interested: |
I wrote a password generator a couple years ago starting with the basic XKCD 936 premise: |
@smontanaro thank you! as far as I can see this is not what I'm looking for though. I'm looking for something that generates a pass phrase from a less pass password in a deterministic way. Obviously only deterministic on the same word list. I could write it on my own in a simple script, I was hoping that the functionality would be included directly into less pass though. |
The thought here is, that I can use a pass phrase for things I need to type often, like my sudo pw. But in case I forget it, I want to be able to restore it via less pass. |
Understand... So there would be sort of a dictionary covering about 8000 words (per language) as a source for those pass phrases. |
@kabouzeid Understood. I wasn't trying to suggest that it could be used directly. At minimum, I think you'd have to translate the relevant bits into LessPass-speak (JavaScript?). @SoftwUser Correct, you'd have to cook up a dictionary of suitable size. I don't think it has to be huge. In XKCD936 explained (https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength) the 44 bits come from 2048 words sampled four times. (I get 45, but I'm probably making a dumb mistake.) You can raise the entropy level without substantially reducing the memorability of the pass phrase by sprinkling random punctuation/digits between the words and random capitalization of the words. Just considering five-letter words from /usr/share/dict/words on the system at my fingertips, I get 15034 words, 90kbytes uncompressed, 39k gzipped. Choosing a sample of 4096 of those words gets me down to 24kbytes plain, 10kbytes gzipped. I think it's totally doable to include such a dictionary in the LessPass code (assuming it can be descrypted on-the-fly - I'm not a web programmer, and don't know what's available). This, of course, is only for English, but I see no conceptual problem choosing a particular language at setup. |
We will probably need a fixed list of word (EFF? https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases) and we will use the entropy generated to consume this list of words. If someone wants to try an implementation on https://github.com/lesspass/core/ |
XKCD-password-generator could help |
For passphrase generation, see Diceware. |
I think the underlying generation method of lesspass can be readily used to generate word phrases. After generating the entropy you need to consume it with words instead of single characters.
For example a word from a list of 8192 (=2^13), one of 4 (=2^2) capitalization variations and one of 32 (=2^5) symbols for separator consume 20 bits or 2.25 bytes of the key generated by PBKDF. A 3 (4 resp.) word pass phrase will consume 7 (9 resp.) bytes (which could have been used to create a lesspass password around 9 (11 resp.) characters) Edit: Since the pass phrase generated must be the same everywhere for the same parameters. Word list (or lists) has to be fixed. |
I close this one Interesting discussion btw |
Duplicated by: #523 Dice dictionariesHave some drawbacks:
Fun FactsThe French example highlight the diversity of language :D
|
@edouard-lopez I close this one again please don't reopen This feature will introduce some complexity in the ui, and I will probably never implement because of low priority and not a lot of time. I will reopen if I found some time one day and most priorities issues are resolved Thanks |
I haven't looked over the project source code, but assume that master password is used as a seed for "random" generation of passwords, and that for a character by character password, it's just applying If that assumption is correct, substituting a character for a word from EFF-long list shouldn't be too difficult to support. There's some clear benefit identified early on in this issue for this style of password. The justification against it beyond time of implementing it is english words may be bad UX for non-English speakers....arguably english is no more difficult to input for most users, and the existing ASCII generation is no different from that. UI complexity is only if you were to add additional customization as one comment suggested for some reason. That's unnecessary, all lowercase words with a space delimiter(or alternative like Only drawback is RNG isn't really meeting best practice for word selection, but that'd be an issue with RNG and LessPass in general, especially with the deterministic generation, but that's what users are choosing LessPass for. AFAIK that's mostly remedied by the user generating a master password with a better source for RNG. Low priority for the maintainer is perfectly valid :) |
Something like word1-word2-word3-word4
Makes it easier to remember for sudo password which you type often
The text was updated successfully, but these errors were encountered: