Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I prefer the passphrase: https://xkcd.com/936/

Also, I feel very funny using generated password from a website. If I need a new password, I can just generate one in Python or something.



I have this macro saved in ipython. Note that I use a subset of symbols that's easy to type on most(?) keyboard layouts withoutany gymnastics:

  %load pwm
  import random as r
  import string as s
  def pw(n=12):
    return "".join([r.choice(
                       s.ascii_letters \
                      + s.digits \
                      + "|!@#$%&/()=?+\-_.,;:")
                     for x in range(n)])


Note: random wasn't patched to use a secure generator in python3 (yet) - from a quick look, it appears secrets.choice() does what I thought random.choice() already did (python 3.6, not 3.5 and earlier)


ruby -e 'rand(34*10).to_s(34)'

I prefer not to have to use the shift key in passwords, and the 34 instead of 36 ([0-9a-z]) solves my german/us layout problem in a very golfy way.


Both your and parent's password generators are not secure: they use non-cryptographic random number generators, which have limited entropy.


On most platforms python3's random use os level random? The suitable one on Window and /dev/random on Linux?

[ed: hm, no - not yet. I remembered discussions like this:

https://lwn.net/Articles/657269/

But looks like "secrets"[1] has the strong random.choice provider among others.

Probably the (minimal, dirty) change needed (for python 3.6 and later) is:

  import secrets as r
But I can't test that right now. Thanks for calling me out on this, and having me do a quick search to check my assumptions.

I do agree that for this particular case, the pseudo-random generator seeded by system time might be enough (or at least better than "random" key presses) - but I don't like spreading bad patterns. And for any code generating many passwords, with the opportunity for an attacker to get a sample - this is likely very bad.

[1] https://docs.python.org/dev/library/secrets.html ]


That matters very little if you are manually generating an occasional password here and there for personal and an attacker have no reason to know your specific method of generating the password.


True. Otoh I just told the attacker my specific method :-) And I'd prefer a system that was secure enough that doing so wasn't a problem.


Ruby takes the seed for rand() from /dev/urandom, according to doc. That's good enough for a single use.


Minor typo or issue with HN escaping:

    rand(34**10)
rather than

    rand(34*10)
And you'll probably want a puts in front.


Passphrases are classic, used in every spy novel ever. They should be allowed.

In fact xkcd underestimated the entropy. The stated entropy is only true if you limit yourself to words a 4 year old would use.

Systems that limit maximum number of characters or require character classes are the worst.


I've also always thought it was wrong to assume your adversary knows to try only passphrases.


This comes from Kerckhoffs' Principle: a system should be secure even if everything about the system, except the key, is public knowledge.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: