2020-12-12 12:50:45 +01:00
|
|
|
# genpass
|
|
|
|
|
|
|
|
|
|
This plugin provides three unique password generators for ZSH. Each generator
|
|
|
|
|
has at least a 128-bit security margin and generates passwords from the
|
|
|
|
|
cryptographically secure `/dev/urandom`. Each generator can also take an
|
|
|
|
|
optional numeric argument to generate multiple passwords.
|
|
|
|
|
|
fix(genpass): improve performance and usability and fix bugs (#9520)
*Bugs*
The following bugs have been fixed:
- All generators ignored errors from external commands. For example,
if `/usr/share/dict/words` was unreadable, `genpass-xkcd` would
print "0-" as a password and return success.
- All generators silently ignored the argument if it wasn't a number.
For example, `genpass-apple -2` was generating one password and
not printing any errors.
- All generators silently ignored extra arguments. For example,
`genpass-apple -n 2` was generating one password and not printing
any errors.
- `genpass-xkcd` was generating passwords with less than 128 bits of
security margin in contradiction to documentation. The smaller the
dictionary size, the weaker the passwords it was generating. For a
dictionary with 27 words, `genpass-xkcd` was generating passwords
with 93 bits of security margin (`log2(27!)`).
- The source of random data used by `genpass-xkcd` was not
cryptographically secure in contradiction to documentation. See:
https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html
- `genpass-apple` could generate a password with non-ascii characters
depending on user locale. For example, passwords could contain 'İ'
for users with Turkish locale.
- `genpass-apple` didn't work with `ksh_arrays` shell option.
- `genpass-xkcd` was printing spurious errors with `ksh_arrays` shell
option.
- `genpass-xkcd` was producing too short (weak) or too strong (long)
and/or printing errors when `IFS` was set to non-default value.
- All generators were printing fewer passwords than requested and
returning success when passed a very large number as an argument.
*Usability*
Generators are now implemented as self-contained executable files.
They can be invoked from scripts with no additional setup.
Generators no longer depend on external commands. The only dependencies
are `/dev/urandom` and, for `genpass-xkcd`, `/usr/share/dict/words`.
All generators used to silently ignore all arguments after the first
and the first argument if it wasn't a number. For example, both
`genpass-apple -2` and `genpass-apple -n 2` were generating one password
and not printing any errors. Now these print an error and fail.
*Performance*
The time it takes to load the plugin has been greatly reduced. This
translates into faster zsh startup when the plugin is enabled.
Incidentally, two generators out of three have been sped up to a large
degree while one generator (`genpass-xkcd`) has gotten slower. This is
unlikely to matter one way or another unless generating a very large
number of passwords. In the latter case `genpass-xkcd` is now also
faster than it used to be.
The following table shows benchmark results from Linux x86-64 on i9-7900X.
The numbers in the second and third columns show how many times a given
command could be executed per second. Higher numbers are better.
command | before (Hz) | after (Hz) | speedup |
----------------------------|------------:|-----------:|--------:|
`source genpass.plugin.zsh` | 4810 | 68700 | +1326% |
`genpass-apple` | 30.3 | 893 | +2846% |
`genpass-monkey` | 203 | 5290 | +2504% |
`genpass-xkcd` | 34.4 | 14.5 | -58% |
`genpass-xkcd 1000` | 0.145 | 0.804 | +454% |
2020-12-16 16:57:59 +01:00
|
|
|
To use it from an interactive ZSH, add `genpass` to the plugins array in your
|
|
|
|
|
zshrc file:
|
2020-12-12 12:50:45 +01:00
|
|
|
|
fix(genpass): improve performance and usability and fix bugs (#9520)
*Bugs*
The following bugs have been fixed:
- All generators ignored errors from external commands. For example,
if `/usr/share/dict/words` was unreadable, `genpass-xkcd` would
print "0-" as a password and return success.
- All generators silently ignored the argument if it wasn't a number.
For example, `genpass-apple -2` was generating one password and
not printing any errors.
- All generators silently ignored extra arguments. For example,
`genpass-apple -n 2` was generating one password and not printing
any errors.
- `genpass-xkcd` was generating passwords with less than 128 bits of
security margin in contradiction to documentation. The smaller the
dictionary size, the weaker the passwords it was generating. For a
dictionary with 27 words, `genpass-xkcd` was generating passwords
with 93 bits of security margin (`log2(27!)`).
- The source of random data used by `genpass-xkcd` was not
cryptographically secure in contradiction to documentation. See:
https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html
- `genpass-apple` could generate a password with non-ascii characters
depending on user locale. For example, passwords could contain 'İ'
for users with Turkish locale.
- `genpass-apple` didn't work with `ksh_arrays` shell option.
- `genpass-xkcd` was printing spurious errors with `ksh_arrays` shell
option.
- `genpass-xkcd` was producing too short (weak) or too strong (long)
and/or printing errors when `IFS` was set to non-default value.
- All generators were printing fewer passwords than requested and
returning success when passed a very large number as an argument.
*Usability*
Generators are now implemented as self-contained executable files.
They can be invoked from scripts with no additional setup.
Generators no longer depend on external commands. The only dependencies
are `/dev/urandom` and, for `genpass-xkcd`, `/usr/share/dict/words`.
All generators used to silently ignore all arguments after the first
and the first argument if it wasn't a number. For example, both
`genpass-apple -2` and `genpass-apple -n 2` were generating one password
and not printing any errors. Now these print an error and fail.
*Performance*
The time it takes to load the plugin has been greatly reduced. This
translates into faster zsh startup when the plugin is enabled.
Incidentally, two generators out of three have been sped up to a large
degree while one generator (`genpass-xkcd`) has gotten slower. This is
unlikely to matter one way or another unless generating a very large
number of passwords. In the latter case `genpass-xkcd` is now also
faster than it used to be.
The following table shows benchmark results from Linux x86-64 on i9-7900X.
The numbers in the second and third columns show how many times a given
command could be executed per second. Higher numbers are better.
command | before (Hz) | after (Hz) | speedup |
----------------------------|------------:|-----------:|--------:|
`source genpass.plugin.zsh` | 4810 | 68700 | +1326% |
`genpass-apple` | 30.3 | 893 | +2846% |
`genpass-monkey` | 203 | 5290 | +2504% |
`genpass-xkcd` | 34.4 | 14.5 | -58% |
`genpass-xkcd 1000` | 0.145 | 0.804 | +454% |
2020-12-16 16:57:59 +01:00
|
|
|
plugins=(... genpass)
|
2020-12-12 12:50:45 +01:00
|
|
|
|
fix(genpass): improve performance and usability and fix bugs (#9520)
*Bugs*
The following bugs have been fixed:
- All generators ignored errors from external commands. For example,
if `/usr/share/dict/words` was unreadable, `genpass-xkcd` would
print "0-" as a password and return success.
- All generators silently ignored the argument if it wasn't a number.
For example, `genpass-apple -2` was generating one password and
not printing any errors.
- All generators silently ignored extra arguments. For example,
`genpass-apple -n 2` was generating one password and not printing
any errors.
- `genpass-xkcd` was generating passwords with less than 128 bits of
security margin in contradiction to documentation. The smaller the
dictionary size, the weaker the passwords it was generating. For a
dictionary with 27 words, `genpass-xkcd` was generating passwords
with 93 bits of security margin (`log2(27!)`).
- The source of random data used by `genpass-xkcd` was not
cryptographically secure in contradiction to documentation. See:
https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html
- `genpass-apple` could generate a password with non-ascii characters
depending on user locale. For example, passwords could contain 'İ'
for users with Turkish locale.
- `genpass-apple` didn't work with `ksh_arrays` shell option.
- `genpass-xkcd` was printing spurious errors with `ksh_arrays` shell
option.
- `genpass-xkcd` was producing too short (weak) or too strong (long)
and/or printing errors when `IFS` was set to non-default value.
- All generators were printing fewer passwords than requested and
returning success when passed a very large number as an argument.
*Usability*
Generators are now implemented as self-contained executable files.
They can be invoked from scripts with no additional setup.
Generators no longer depend on external commands. The only dependencies
are `/dev/urandom` and, for `genpass-xkcd`, `/usr/share/dict/words`.
All generators used to silently ignore all arguments after the first
and the first argument if it wasn't a number. For example, both
`genpass-apple -2` and `genpass-apple -n 2` were generating one password
and not printing any errors. Now these print an error and fail.
*Performance*
The time it takes to load the plugin has been greatly reduced. This
translates into faster zsh startup when the plugin is enabled.
Incidentally, two generators out of three have been sped up to a large
degree while one generator (`genpass-xkcd`) has gotten slower. This is
unlikely to matter one way or another unless generating a very large
number of passwords. In the latter case `genpass-xkcd` is now also
faster than it used to be.
The following table shows benchmark results from Linux x86-64 on i9-7900X.
The numbers in the second and third columns show how many times a given
command could be executed per second. Higher numbers are better.
command | before (Hz) | after (Hz) | speedup |
----------------------------|------------:|-----------:|--------:|
`source genpass.plugin.zsh` | 4810 | 68700 | +1326% |
`genpass-apple` | 30.3 | 893 | +2846% |
`genpass-monkey` | 203 | 5290 | +2504% |
`genpass-xkcd` | 34.4 | 14.5 | -58% |
`genpass-xkcd 1000` | 0.145 | 0.804 | +454% |
2020-12-16 16:57:59 +01:00
|
|
|
You can also invoke password generators directly (they are implemented as
|
|
|
|
|
standalone executable files), which can be handy when you need to generate
|
|
|
|
|
passwords in a script:
|
2020-12-12 12:50:45 +01:00
|
|
|
|
fix(genpass): improve performance and usability and fix bugs (#9520)
*Bugs*
The following bugs have been fixed:
- All generators ignored errors from external commands. For example,
if `/usr/share/dict/words` was unreadable, `genpass-xkcd` would
print "0-" as a password and return success.
- All generators silently ignored the argument if it wasn't a number.
For example, `genpass-apple -2` was generating one password and
not printing any errors.
- All generators silently ignored extra arguments. For example,
`genpass-apple -n 2` was generating one password and not printing
any errors.
- `genpass-xkcd` was generating passwords with less than 128 bits of
security margin in contradiction to documentation. The smaller the
dictionary size, the weaker the passwords it was generating. For a
dictionary with 27 words, `genpass-xkcd` was generating passwords
with 93 bits of security margin (`log2(27!)`).
- The source of random data used by `genpass-xkcd` was not
cryptographically secure in contradiction to documentation. See:
https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html
- `genpass-apple` could generate a password with non-ascii characters
depending on user locale. For example, passwords could contain 'İ'
for users with Turkish locale.
- `genpass-apple` didn't work with `ksh_arrays` shell option.
- `genpass-xkcd` was printing spurious errors with `ksh_arrays` shell
option.
- `genpass-xkcd` was producing too short (weak) or too strong (long)
and/or printing errors when `IFS` was set to non-default value.
- All generators were printing fewer passwords than requested and
returning success when passed a very large number as an argument.
*Usability*
Generators are now implemented as self-contained executable files.
They can be invoked from scripts with no additional setup.
Generators no longer depend on external commands. The only dependencies
are `/dev/urandom` and, for `genpass-xkcd`, `/usr/share/dict/words`.
All generators used to silently ignore all arguments after the first
and the first argument if it wasn't a number. For example, both
`genpass-apple -2` and `genpass-apple -n 2` were generating one password
and not printing any errors. Now these print an error and fail.
*Performance*
The time it takes to load the plugin has been greatly reduced. This
translates into faster zsh startup when the plugin is enabled.
Incidentally, two generators out of three have been sped up to a large
degree while one generator (`genpass-xkcd`) has gotten slower. This is
unlikely to matter one way or another unless generating a very large
number of passwords. In the latter case `genpass-xkcd` is now also
faster than it used to be.
The following table shows benchmark results from Linux x86-64 on i9-7900X.
The numbers in the second and third columns show how many times a given
command could be executed per second. Higher numbers are better.
command | before (Hz) | after (Hz) | speedup |
----------------------------|------------:|-----------:|--------:|
`source genpass.plugin.zsh` | 4810 | 68700 | +1326% |
`genpass-apple` | 30.3 | 893 | +2846% |
`genpass-monkey` | 203 | 5290 | +2504% |
`genpass-xkcd` | 34.4 | 14.5 | -58% |
`genpass-xkcd 1000` | 0.145 | 0.804 | +454% |
2020-12-16 16:57:59 +01:00
|
|
|
~/.oh-my-zsh/plugins/genpass/genpass-apple 3
|
2020-12-12 12:50:45 +01:00
|
|
|
|
|
|
|
|
## genpass-apple
|
|
|
|
|
|
|
|
|
|
Generates a pronounceable pseudoword passphrase of the "cvccvc" consonant/vowel
|
|
|
|
|
syntax, inspired by [Apple's iCloud Keychain password generator][1]. Each
|
fix(genpass): improve performance and usability and fix bugs (#9520)
*Bugs*
The following bugs have been fixed:
- All generators ignored errors from external commands. For example,
if `/usr/share/dict/words` was unreadable, `genpass-xkcd` would
print "0-" as a password and return success.
- All generators silently ignored the argument if it wasn't a number.
For example, `genpass-apple -2` was generating one password and
not printing any errors.
- All generators silently ignored extra arguments. For example,
`genpass-apple -n 2` was generating one password and not printing
any errors.
- `genpass-xkcd` was generating passwords with less than 128 bits of
security margin in contradiction to documentation. The smaller the
dictionary size, the weaker the passwords it was generating. For a
dictionary with 27 words, `genpass-xkcd` was generating passwords
with 93 bits of security margin (`log2(27!)`).
- The source of random data used by `genpass-xkcd` was not
cryptographically secure in contradiction to documentation. See:
https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html
- `genpass-apple` could generate a password with non-ascii characters
depending on user locale. For example, passwords could contain 'İ'
for users with Turkish locale.
- `genpass-apple` didn't work with `ksh_arrays` shell option.
- `genpass-xkcd` was printing spurious errors with `ksh_arrays` shell
option.
- `genpass-xkcd` was producing too short (weak) or too strong (long)
and/or printing errors when `IFS` was set to non-default value.
- All generators were printing fewer passwords than requested and
returning success when passed a very large number as an argument.
*Usability*
Generators are now implemented as self-contained executable files.
They can be invoked from scripts with no additional setup.
Generators no longer depend on external commands. The only dependencies
are `/dev/urandom` and, for `genpass-xkcd`, `/usr/share/dict/words`.
All generators used to silently ignore all arguments after the first
and the first argument if it wasn't a number. For example, both
`genpass-apple -2` and `genpass-apple -n 2` were generating one password
and not printing any errors. Now these print an error and fail.
*Performance*
The time it takes to load the plugin has been greatly reduced. This
translates into faster zsh startup when the plugin is enabled.
Incidentally, two generators out of three have been sped up to a large
degree while one generator (`genpass-xkcd`) has gotten slower. This is
unlikely to matter one way or another unless generating a very large
number of passwords. In the latter case `genpass-xkcd` is now also
faster than it used to be.
The following table shows benchmark results from Linux x86-64 on i9-7900X.
The numbers in the second and third columns show how many times a given
command could be executed per second. Higher numbers are better.
command | before (Hz) | after (Hz) | speedup |
----------------------------|------------:|-----------:|--------:|
`source genpass.plugin.zsh` | 4810 | 68700 | +1326% |
`genpass-apple` | 30.3 | 893 | +2846% |
`genpass-monkey` | 203 | 5290 | +2504% |
`genpass-xkcd` | 34.4 | 14.5 | -58% |
`genpass-xkcd 1000` | 0.145 | 0.804 | +454% |
2020-12-16 16:57:59 +01:00
|
|
|
password has exactly 1 digit placed at the edge of a "word" and exactly 1
|
2020-12-12 12:50:45 +01:00
|
|
|
capital letter to satisfy most password security requirements.
|
|
|
|
|
|
|
|
|
|
% genpass-apple
|
|
|
|
|
gelcyv-foqtam-fotqoh-viMleb-lexduv-6ixfuk
|
|
|
|
|
|
|
|
|
|
% genpass-apple 3
|
|
|
|
|
japvyz-qyjti4-kajrod-nubxaW-hukkan-dijcaf
|
|
|
|
|
vydpig-fucnul-3ukpog-voggom-zygNad-jepgad
|
|
|
|
|
zocmez-byznis-hegTaj-jecdyq-qiqmiq-5enwom
|
|
|
|
|
|
|
|
|
|
[1]: https://developer.apple.com/password-rules/
|
|
|
|
|
|
|
|
|
|
## genpass-monkey
|
|
|
|
|
|
|
|
|
|
Generates visually unambiguous random meaningless strings using [Crockford's
|
|
|
|
|
base32][2].
|
|
|
|
|
|
|
|
|
|
% genpass-monkey
|
|
|
|
|
xt7gn976e7jj3fstgpy27330x3
|
|
|
|
|
|
|
|
|
|
% genpass-monkey 3
|
|
|
|
|
n1qqwtzgejwgqve9yzf2gxvx4m
|
|
|
|
|
r2n3f5s6vbqs2yx7xjnmahqewy
|
|
|
|
|
296w9y9rts3p5r9yay0raek8e5
|
|
|
|
|
|
|
|
|
|
[2]: https://www.crockford.com/base32.html
|
|
|
|
|
|
|
|
|
|
## genpass-xkcd
|
|
|
|
|
|
|
|
|
|
Generates passphrases from `/usr/share/dict/words` inspired by the [famous (and
|
|
|
|
|
slightly misleading) XKCD comic][3]. Each passphrase is prepended with a digit
|
|
|
|
|
showing the number of words in the passphrase to adhere to password security
|
|
|
|
|
requirements that require digits. Each word is 6 characters or less.
|
|
|
|
|
|
|
|
|
|
% genpass-xkcd
|
|
|
|
|
9-eaten-Slav-rife-aired-hill-cordon-splits-welsh-napes
|
|
|
|
|
|
|
|
|
|
% genpass-xkcd 3
|
|
|
|
|
9-worker-Vlad-horde-shrubs-smite-thwart-paw-alters-prawns
|
|
|
|
|
9-tutors-stink-rhythm-junk-snappy-hooray-barbs-mewl-clomp
|
|
|
|
|
9-vital-escape-Angkor-Huff-wet-Mayra-abbés-putts-guzzle
|
|
|
|
|
|
|
|
|
|
[3]: https://xkcd.com/936/
|
