gnome-password-generator replacement?

classic Classic list List threaded Threaded
46 messages Options
123
Reply | Threaded
Open this post in threaded view
|

gnome-password-generator replacement?

Andre Robatino-2
gnome-password-generator will not be available in the Fedora repos for F26 and later. Do the repos contain a good replacement?
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

jd1008

On 06/18/2017 11:25 AM, Andre Robatino wrote:
> gnome-password-generator will not be available in the Fedora repos for F26 and later. Do the repos contain a good replacement?
> _______________________________________________
> users mailing list -- [hidden email]
> To unsubscribe send an email to [hidden email]
gnome project keeps doing things that disable the user.
That is why I do not use it anymore.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

stan
In reply to this post by Andre Robatino-2
On Sun, 18 Jun 2017 17:25:41 -0000
"Andre Robatino" <[hidden email]> wrote:

> gnome-password-generator will not be available in the Fedora repos
> for F26 and later. Do the repos contain a good replacement?

It doesn't have a gui that I know of, but I use pwgen from the Fedora
repositories.  It warns that the passwords are less secure than fully
random passwords, but it allows passwords to be required to have a
capital, a number, and a special character.  When I put a 16 or 18
character password into a strength checker, it always comes out as
highly secure.

Of course, I don't remember those, I keep them in an encrpyted file and
cut and paste them where needed.  Not sure how secure using the
paste buffer would be on a shared system.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Matthew Miller-2
In reply to this post by jd1008
On Sun, Jun 18, 2017 at 12:19:46PM -0600, JD wrote:
> gnome project keeps doing things that disable the user.

This seems... unnecssary. No one in GNOME is "disabling the user".
Remember that Fedora — like GNOME, for that matter — is maintained by
volunteers. For whatever reason, this package is marked as an "orphan".
This means that there is not currently anyone volunteering to take care
of it.

If you'd like to help, see the process for claimin an orphaned package:
https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers#Claiming_Ownership_of_an_Orphaned_Package_Procedure



--
Matthew Miller
<[hidden email]>
Fedora Project Leader
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Andre Robatino-2
In reply to this post by stan
Thanks. I had actually installed pwgen a few months ago, but it looked like the passwords weren't strong enough. gnome-password-generator has a Character set option "All printable (excluding space)". It appears that "pwgen -sy 30 1", for example, does just that, and "pwgen -s 30 1" is the same as "Alphanumeric (a-z, A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It would be really nice if there was something where you could specify an exact set of characters to either include or exclude, to cope with certain websites that allow only some special characters.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Andre Robatino-2
BTW, just noticed a bug. pwgen doesn't have an option to use numbers only (for creating PINs) so I tried to use "pwgen -n 1" to generate a sequence of random digits. But all of the 1-character passwords are lower-case letters, no digits. Filed https://bugzilla.redhat.com/show_bug.cgi?id=1462557 .
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Andre Robatino-2
In reply to this post by stan
makepasswd also looks useful. It's clumsier to use, but more flexible. You use the -c option followed by a string to specify the exact set of allowed characters. The following prints all of the 94 non-space printable characters:

for (( c=33; c<=126; c++ )); do printf "\x$(printf %x $c)"; done

which you can use to construct a makepasswd command using all of those characters (putting all the special chars at the end, and backquoting each of them)

makepasswd -c 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~ -l 30

(for a 30-character password) and you can remove special chars depending on what a particular website allows.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Tim-163
In reply to this post by Matthew Miller-2
JD wrote:
>> gnome project keeps doing things that disable the user.

Matthew Miller:
> This seems... unnecssary.

Though, I'd say it's accurate.

You could build up a list of things that keep getting removed from your
control in Gnome.  I'm not going to attempt to build up an extensive
one, but as someone who's used Gnome on Fedora since Fedora began, and
Red Hat Linux beforehand, I have definitely noticed things being removed
from user control.  Here's just a few, and I'm sure others could add
quite a few more, if they wanted:

     1. Used to be able to customise GDM, can't anymore without serious
        hacking.
     2. Used to be able to have screensavers, now you have to bodge in
        something else.
     3. Used to have decent control of the audio mixer, now there's
        none.

Others have commented that if they try to bring up user-configuration of
Gnome in the Gnome arena, it always gets howled down.  The evidence is
against your assertion.

--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

I reserve the right to be as hypocritical as the next person.


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

stan
In reply to this post by Andre Robatino-2
On Sun, 18 Jun 2017 20:55:08 -0000
"Andre Robatino" <[hidden email]> wrote:

> Thanks. I had actually installed pwgen a few months ago, but it
> looked like the passwords weren't strong enough.
> gnome-password-generator has a Character set option "All printable
> (excluding space)". It appears that "pwgen -sy 30 1", for example,
> does just that, and "pwgen -s 30 1" is the same as "Alphanumeric
> (a-z, A-Z, 0-9)". I use a password manager, so only care about
> maximum entropy. It would be really nice if there was something where
> you could specify an exact set of characters to either include or
> exclude, to cope with certain websites that allow only some special
> characters. _______________________________________________ users

I think it isn't necessary to have all those special characters in order
to have strong passwords.

Open an xterm, and start python by typing python.  Then paste the
following into the command line and hit enter.

(62**30) // (86400000000 * 366)

There are 62 unique possibilities with upper and lower case letters and
numerals.  This is the number of years that a million brute force
attempts per second would take to crack that 30 character password with
only letters and numbers.  With 9 alphanumerics instead of 30,
its about 400 years, which seems more than adequate.  The special
characters add another 30 possibilities, so the passwords can be
shorter for the same strength, but a 33 character alphanumeric password
is ~ the same as a 92 possibility 30 character password. People
cracking strong passwords don't know that you haven't used 92
characters instead of 62, so they have to check all 92.  :-)  Control-D
exits the python interpreter.

When I hit pwgen -y, it generates columns of 8 character passwords with
a number, a capital, and a special character.  If you need specific
special characters, just grab a few of those with the special
characters you need and concatenate them(4 would be 32 character), or
change the special character(s) to the one(s) you need.

I think the real danger with passwords is that people use the same one
(usually weak) on multiple sites, so if a site gets cracked, they are
endangered in other places.  You've already finessed that by using a
password manager, so you can easily have unique, strong passwords at
every site.

But these are just my opinions, you have to do what makes you feel
comfortable with your security.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Joe Zeff-2
In reply to this post by Tim-163
On 06/18/2017 07:03 PM, Tim wrote:
>       1. Used to be able to customise GDM, can't anymore without serious
>          hacking.
>       2. Used to be able to have screensavers, now you have to bodge in
>          something else.
>       3. Used to have decent control of the audio mixer, now there's
>          none.

         4. Used to be able to customize your desktop without installing
            third party add-ons that might break without warning at the
            next update.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Andre Robatino-2
In reply to this post by stan
Many websites don't allow even 30 chars. One of the important ones I use allows only 16 characters (and no 2FA option), but happens to allow special characters. Using the largest possible character set is the only way to shore that up.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Tim-163
In reply to this post by stan
On Sun, 2017-06-18 at 19:13 -0700, stan wrote:
> I think it isn't necessary to have all those special characters in
> order to have strong passwords.

I completely agree, it's just as impossible to guess that a password is
"$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
remember and type.  With the peculiar password rules, I have no choice
to but to do the insecure and write down passwords somewhere (whether
that's on paper or on file).  You're not supposed to write passwords
down anywhere.

About the only benefit of stupid character rules is to try and stop
people putting in guessable things, like their child's birthday.  But
the usual rules won't stop people using "John1983$".

What these rulemakers forget is that password cracking is an all or
nothing venture.  You have to get it exactly right to crack it, you
don't get hints that you're almost correct.

Really, what ought to get tightened up is the software accepting logons.
There should be a limited number of attempts (3 goes and your out for a
significant time limit).  Any system that lets a cracker hammer away
with repeated attempts is the thing that is broken.

> I think the real danger with passwords is that people use the same one
> (usually weak) on multiple sites, so if a site gets cracked, they are
> endangered in other places.

I quite agree.  Along with other stupidities, such as a website telling
users to login with their email address and password.  Instead, it ought
to ask people to login with their account name and *this* site's
password.  People stupidly give their credentials away to all and and
sundry with prompts like that.  The account creation process should
specifically say not to use the same password as they use anywhere else.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Andre Robatino-2
> On Sun, 2017-06-18 at 19:13 -0700, stan wrote:
>
> I completely agree, it's just as impossible to guess that a password is
> "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier
> to
> remember and type.  With the peculiar password rules, I have no choice
> to but to do the insecure and write down passwords somewhere (whether
> that's on paper or on file).  You're not supposed to write passwords
> down anywhere.

If you use a password manager, you can use a different strong random password for each site, and copy and paste it. Fifty characters is just as easy as 8, and means you don't have to worry about changing the password again (unless a website like Socialsecurity.gov forces you to, and they should eventually stop doing that).

> Really, what ought to get tightened up is the software accepting logons.
> There should be a limited number of attempts (3 goes and your out for a
> significant time limit).  Any system that lets a cracker hammer away
> with repeated attempts is the thing that is broken.

That works as long as the website isn't hacked. If it is, even if the passwords are hashed (which they often aren't), the hash can be cracked if the password is weak. This actually happened to my PayPal account in 2002. At the time, I was using a weak password vulnerable to a dictionary attack (but not to only several login attempts). PayPal sent me an email asking me to change my password, claiming it was just a random request and had nothing to do with a specific attack. Since I knew my password was secure against a handful of login attempts, I just changed the password and then immediately changed it back to the original one. Shortly after, my account was hacked and money was withdrawn from my bank account. PayPal admitted in a later email that there actually had been an attack where the password hashes were stolen (implying that they were lying the first time). PayPal did eventually reimburse me for the money. The point is that it's good if a website limits login attempts, but yo
 u can't rely on that. I always assume that the hash could become public, and choose my password accordingly. (Of course, many websites store passwords in plain text, in which case the only thing that helps is not using the same or similar password anywhere else.)
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Tim-163
Andre Robatino:
> If you use a password manager, you can use a different strong random
> password for each site, and copy and paste it. Fifty characters is
> just as easy as 8, and means you don't have to worry about changing
> the password again (unless a website like Socialsecurity.gov forces
> you to, and they should eventually stop doing that).

That's all very well as long as you only use one device.  When you have
several computers, devices, using other people's equipment, etc.,
password managers soon become their own pain.  So people use an on-line
password manager, and create a single-point of failure for multiple
accounts.

Tim:
>> Really, what ought to get tightened up is the software accepting logons.
>> There should be a limited number of attempts (3 goes and your out for a
>> significant time limit).  Any system that lets a cracker hammer away
>> with repeated attempts is the thing that is broken.

> That works as long as the website isn't hacked.

A different problem.  Though perhaps related, it depends on how the site
was hacked.  If they let someone peck away at it, it's down to the same
problem.

Sites really need to stop storing your passwords, then need to keep
something that can only be used to confirm correct authentication, and
not be reverse engineerable to discover the password.


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Heinz Diehl
In reply to this post by stan
On 18.06.2017, stan wrote:

> It doesn't have a gui that I know of, but I use pwgen from the Fedora
> repositories.  It warns that the passwords are less secure than fully
> random passwords

Pwgen uses /dev/urandom, so the statement that those passwords are
less secure than "fully" random passwords (define "fully random"..) is
merely of academical nature.

In case of any doubt, you can always do something like

 head /dev/random | tr -dc A-Za-z0-9 | head -c X

where X is your password length. Tr also lets you tailor the
characterset used.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Joe Zeff-2
In reply to this post by Tim-163
On 06/18/2017 08:21 PM, Tim wrote:
> I completely agree, it's just as impossible to guess that a password is
> "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
> remember and type.  With the peculiar password rules, I have no choice
> to but to do the insecure and write down passwords somewhere (whether
> that's on paper or on file).  You're not supposed to write passwords
> down anywhere.

I may have mentioned this before, but I have a friend who uses (roughly)
ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just
as hard to guess as the type of gibberish that most security "experts"
recommend, and a lot easier to remember.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Tom Horsley-5
In reply to this post by Heinz Diehl
I use keepassx to not only generate, but also store passwords.
It has lots of rules you can select about how to generate
passwords, which is useful, because lots of web sites
have idiotic requirements for passwords, and you can plug
those idiot requirements into the password generator.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Gour
On Mon, 19 Jun 2017 06:03:08 -0400
Tom Horsley <[hidden email]> wrote:

> I use keepassx to not only generate, but also store passwords.

I was using the same, but now find (qt)pass more pleasant to use.


Sincerely,
Gour

--
As the ignorant perform their duties with attachment to results,
the learned may similarly act, but without attachment, for the
sake of leading people on the right path.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Patrick O'Callaghan-2
In reply to this post by Joe Zeff-2
On Mon, 2017-06-19 at 00:17 -0700, Joe Zeff wrote:

> On 06/18/2017 08:21 PM, Tim wrote:
> > I completely agree, it's just as impossible to guess that a password is
> > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
> > remember and type.  With the peculiar password rules, I have no choice
> > to but to do the insecure and write down passwords somewhere (whether
> > that's on paper or on file).  You're not supposed to write passwords
> > down anywhere.
>
> I may have mentioned this before, but I have a friend who uses (roughly)
> ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just
> as hard to guess as the type of gibberish that most security "experts"
> recommend, and a lot easier to remember.

The problem with many of these "rules" is that they don't apply
universally. A password suitable for a banking site is one thing, and a
password for your home Wifi network is another. Never write down the
first one (use a password manager), but feel free to write down the
second one and keep it in a drawer. And where possible, use your router
to configure a guest network with a different password and more
restricted access for those times when you have visitors.

I have a number of bank accounts in several countries (for perfectly
legitimate reasons, I hasten to add) and in my experience each bank has
its own rules which as often as not mitigate *against* good security
practice, e.g. forcing you to change the password every 3 months (which
invites password1, password2, password3 ...) or having their own
peculiar Javascript which blocks you from using a password manager. One
of them even disallows cut-and-paste, which tempts the user to have a
password simple enough to remember and type by hand.

poc
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: gnome-password-generator replacement?

Tom Horsley-5
On Mon, 19 Jun 2017 12:55:28 +0100
Patrick O'Callaghan wrote:

> One
> of them even disallows cut-and-paste, which tempts the user to have a
> password simple enough to remember and type by hand.

One of the keepassx features is the ability to simulate
typing to teach the annoying web designers who is boss :-).

The sites that crack me up are the ones which have rules
like "you can only use letters and numbers" in your password.
Why? That just means anyone trying to guess passwords has
a much simpler job.
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
123