43 comments

[ 54.2 ms ] story [ 1864 ms ] thread
This generates the password on a server you don't control.

I recommend not using it.

Using 'tr -dc A-Za-z0-9 < /dev/urandom | head -c $length' is more secure and available on your linux or osx machine even more easily than waiting a second for a server to run some java off in a magic black box.

If you get "tr: Illegal byte sequence" you can prepend 'LC_ALL=C ' before the 'tr' to prevent tr from trying to treat the stream as a unicode sequence.
This isn't a great site or anything and you're right that password should be generated client-side. But not everyone is one Linux or Mac and sometimes it's just easier to Google "password generator" than remembering that command.

Your comment reminds me of the infamous Dropbox comment: https://news.ycombinator.com/item?id=9224

Yes you right I just created this password generator for fun in the browxy online compiler. The UI is auto-generated with a tool that the site provide. I'm just curious why this tool caused so many interest and wondering what other tools can be built that cause this type of interest...
Password managers and browsers themselves can generate passwords. Generating passwords with a website it a terrible idea, googling "password generator" and going to some random website is an even worse variant of the same idea.
this is not a random website, this is "the browxy" site
I find it bizarre that you have exactly 3 comments in 5 years, all of which are on dbremmen's posts, who happens to be the creator of browxy [0].

Forgive me if I don't trust my password generation on the servers of someone who is either sock-puppeting, or having a friend do something that does not look all that different.

Even if I trust the person who runs the browxy website and servers, I don't trust my password generation to a multi-tenet environment. Browxy is running this code in docker containers on a machine with many other docker containers running arbitrary user-submitted code. The intel vulnerabilities over the past year or so have made it incredibly clear that running sensitive code on the same CPU as totally untrusted and possibly malicious code is a dangerous proposition and there are numerous potential side channels to exfiltrate data.

Trusting password generation to a website that generates passwords on a shared machine is even worse than the usual password generation website which at least uses javascript/securerandom to do it on my CPU.

[0]: https://news.ycombinator.com/item?id=11719439

If you look at submissions of these two accounts it’s even worse.
There are plenty of actually secure and usable password generators, such as the one integrated with keepass / 1password / etc.

I'm sure there are secure websites to do it too. This isn't it though.

The dropbox comment isn't relevant. It's a bias to say "I remember this thing was criticized in a similar way but succeeded" and map that on to "so other criticisms aren't valid".

It's far more often than things seem unlikely to succeed to critics, and then quietly fail than that things seem unlikely to succeed to critics, but then succeed. After all, almost everything ever made doesn't see widespread success.

Our brain does remember the latter cases more, and that leads to the bias.

I see it most commonly with the phrase "X started out small too" as a defence for why something small will grow to something big, when in reality that's cherry picking massively.

> there are secure websites to do it too.

Such websites have to be audited every single time you use it. Even if I only have a web browser and nothing else I would combine random.org and diceware.com instead of trusting some website.

You can also try indexing into /usr/share/dict/words for a correcthorsebatterystaple-style password. I'm sure there's a cute on-liner, I did it in Python because that took a lot less time than all the man page searching how to do it with Unix text processing tools would have taken.

Yes, it would be better to remember random characters of the same length. But most people don't. I personally have one password I use to sign into 1password and a small other set of critical services, and longer random passwords for everything else. I personally don't worry about nation state adversaries so I can make myself less vulnerable to mass automated attacks and targeted attacks by non-experts. It's important to remember not to let perfect be the enemy of the good, and important not to discount the cost of DOSing yourself. I reduced my security after I lost access to something of value.

shuf -n 4 /usr/share/dict/words | tr '\n' ' ' && echo
Thanks! I'm trying to learn bash, and it's going slow (right now still trying to fully understand set -euxo pipefail). I would not have guessed that a command existed to make random permutations, I was expecting an awk incantation.
Your cute one-liner for 4 words:

sort --random-sort /usr/share/dict/words | head -n 4 | tr -d '\n'

You may wish to omit words that have "'" characters, in which case you may throw in a grep -v "'" after the sort.

Thank you. I think it's a testament to the power of unix that two different people responded with solutions using different commands. I should have thought of sort, it feels natural in retrospect. Am I right in believing bash pipes are lazy enough that that won't require sorting the whole file, just pulling out four random lines?

As a side note, I'm guessing grep had -v before it became a standard for verbose? That's one of the hardest parts: it seems open source tools never change UI to help new users at the expense of old ones having to change workflows. A valid way of doing it, and as someone who's never contributed to anything open source I have no place to criticize. Just saying makes it harder. (And I'm realizing I haven't used any closed source software from a comprable time, so I have no idea if this is FOSS-specific)

I don't think the pipe could know that head will have the -n 4. In what context is -v standard for verbose?

edit: This stack exchange seems to relevant https://stackoverflow.com/questions/45326901/lazy-non-buffer...

I don't think grep was originally open source. FWIW, the nemonic for -v on grep is inVert. I'm so happy that --long_options are a thing nowadays, much more readable.

I'm pretty sure that head pulls from up in the pipeline line-by-line. Interesting to know the mnemonic. Many modern command-line utilities use -v for verbose logging, in my (limited) experience.
Here's a perl one for fun :)

  perl -MList::Util=shuffle -0ane 'print ((shuffle @F)[0..3],"\n")' < /usr/share/dict/words
Why thank you :)

From the perspective of someone who's just getting started with learning to code, perl seems like a pile of spermaceti: was once very important, could be turned into beautifully smelling products so long as you didn't pay too much attention to the production process, and no longer needed because of modern synthetics :)

But I've only ever read people mocking perl, never built anything with it. It appears immensely powerful, but collapsing arrays by default makes no sense at all.

Perl's problem is that it's more confusing than it is powerful.

I think most of the people who were into Perl for the "beauty" ended up going to ruby.

People who were into it for CPAN went to python.

You might find this interesting, as you can see the spirit is alive and well: https://github.com/learnbyexample/Command-line-text-processi...

  ruby -0ane 'print $F.shuffle[0..3].join,"\n"' < /usr/share/dict/words
If you're intrigued by the idea of perl one-liners, go explore ruby.
I will, I hope, someday. I want to get an intermediate knowledge of Lisp, or C, or Rust first I think. I know a bit of Python, and think I'd prefer to learn something more different than it next. My impression is that Python is a less whimsical more enterprise-y and conformist sibling of ruby.
My unsolicited advice: Don't worry too much about specific languages. The most valuable thing you can do is get a strong command of *nix and solve a lot of real-world problems with it. Make it your desktop OS and spend a lot of time with it. Build yourself a router. Make a RPi do something to improve your life. Take some cloud service you use and figure out if you could do it the libre way yourself. Build your own NAS. Bonus points if you learn vim or emacs while you're doing it.

Don't worry too much about the meta-narrative about the culture associated with each of the languages. The surveillance state is being built with python, but a lot of hardware hackers prefer python too. Ruby is praised for its flexibility, but its most successful project is literally called "Ruby on Rails" because it tells you exactly how to do everything.

The way people feel about languages goes in cycles, so it's good to be aware of it, but you can mostly ignore it. Use the best tools for the job. If the job is making computers do things, the best tool is unix :)

Thank you for the advice. I'm trying two now: Ubuntu for my daily driver, Emacs (with spacemacs to simplify config for now) for most writing.

I bought an rpi, but could never figure out something to do with it. Any suggestions?

My feeling with languages is that they may go in cycles but it'd be useful to learn either something with a completely different conceptual model (Lisp) or requiring me to understand pointers. But I'd been thinking about trying to lean Unix instead lately.

I feel like I'm pointing a flashlight around a cave with Linux systems. Any advise for some systemic learning? My cs curriculum won't cover anything that applied.

> Thank you for the advice. I'm trying two now: Ubuntu for my daily driver, Emacs (with spacemacs to simplify config for now) for most writing.

If you don't know either of them yet, I'd suggest vim ;)

> I bought an rpi, but could never figure out something to do with it. Any suggestions?

Pi-hole is a super popular project, maybe give that a try.

> or requiring me to understand pointers

Maybe learn to do some old-school stack smashing? https://insecure.org/stf/smashstack.html

There are a bunch of CTFs out there you can play with that help build skills.

> I feel like I'm pointing a flashlight around a cave with Linux systems. Any advise for some systemic learning?

Sounds like you're on the right path :)

Maybe try doing http://www.linuxfromscratch.org/lfs/read.html if you really want a deep understanding of how Linux works.

Also, just browsing the Linux documentation is useful: https://www.kernel.org/doc/html/latest/

I have a few years muscle memory with basic vim. I'm not the most efficient yet, mostly limited to hjkl, :wq, and %s//, but I know enough to edit a file on a remote system in vi and I think that's close to all I need. I use evil in emacs because I hate and don't want to learn vimscript, and because I like the concept of literate programming in org mode and want to learn it (recently tried literate programming hacky wifi config setup, found it reduced repetition and confusion).

I'll take a look at your links, but I don't think RTFMing will be super useful to me right now. I want to learn the kind of questions I should be asking. For example, I recently heard the words "selinux" and "apparmour". Now that I know them I can Google around and eventually figure out how to use apparmour, but I'm more worried about what other gotchas I've never thought of. Any advise for something less comprehensive than the docs, with more of a focus on what works nowadays?

Thank you!

I didn't mean RTFM exactly, what I mean is that if you're curious about how SELinux fits into the system, check where it is in the docs: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index...

You can see that both AppArmor and SELinux are part of the "Linux Security Module" framework.

If you know what's in the table of contents on the left, particularly "The Linux kernel user’s and administrator’s guide", you'll have a pretty good idea of how Linux hangs together: https://www.kernel.org/doc/html/latest/admin-guide/index.htm...

I'll have a look. Thanks for the pointers.
You might be interested in https://github.com/laerling/xkcdget, the correcthorsebatterystaple-type version of my own https://github.com/majewsky/pwget.
It looks cool, but I'd rather use completely independent random passwords. You seem like a nice person, but I don't trust you you to have gotten your crypto totally right. Someday I'll describe how a massive flaw in my understanding of gpg and pass let me recover from loosing my gpg key.

One small comment: the password I remember is the password I type, or I run into issues. If the sentence has "the" and plurals, so will the password.

(This password I generated was only used as a master and for a handful of key services)

> You seem like a nice person, but I don't trust you you to have gotten your crypto totally right.

That's the correct position to hold. Note that my readme makes you read through big fat warnings and security considerations before getting to installation and usage instructions.

I did note that, and I agree you're completely correct to disclaim I shouldn't use your work if I would hB relying on its security. I chose to listen to you :)
(comment deleted)
I created something similar ~2 decades ago in perl. It would spit out a long list of passwords in text format so you could chose one without the server knowing what you chose.

Today, keepass does the job just fine.

That's a nice idea! I just created this password generator for fun like other utilities in java but I don't know just this one generated so many interest. You can see the source code using the button to the bottom right (the one that has 1's and 0's)
Instead of a search space of 1 you augmented it to N which is likely <= 2^10. Still a pretty terrible idea to trust a password like that.
I agree, however, it ran on our own server so it was OK-ish.
Thanks for all the nice comments that are intended with good karma. What other feature can I add to this password generator that is useful? I agree that using linux is more secure but for passwords that are not as important I think this tool works fine, also you don't need to remember a big line of code and you can execute it on your mobile phone
It seems surprisingly complicated. Why is there a “start” and “stop” button? Why does it take so long for it to generate a random string? Why is there a “console” that just seems to show the page template?
You right! Console and stop button are not necessary. The UI is generated with a UI creation tool that match program arguments with UI widgets (see: https://ibb.co/phQQFxr). In this case there is an option missing to don't show the stop button and the console (These are shown due that you can create interactive programs with browxy)
I use

</dev/urandom tr -dc 23456789~*@#$%_+-=qwertQWERTasdfgASDFGzxcvbZXCVB | head -c13; echo ""