{"id":144,"date":"2015-08-21T19:36:16","date_gmt":"2015-08-21T18:36:16","guid":{"rendered":"http:\/\/blog.nothinguntoward.eu\/?p=144"},"modified":"2022-01-22T14:18:31","modified_gmt":"2022-01-22T14:18:31","slug":"pwgen-h","status":"publish","type":"post","link":"https:\/\/nothinguntoward.eu\/?p=144","title":{"rendered":"pwgen-h"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"http:\/\/imgs.xkcd.com\/comics\/password_strength.png\" alt=\"xkcd password strength comic\"\/><\/figure>\n\n\n\n<p>Inspired by xkcd #<a href=\"https:\/\/xkcd.com\/936\/\" target=\"_blank\" rel=\"noopener\">936<\/a> (reproduced above, credit to xkcd), I threw together a quick python script to generate correct horse battery staple style passwords.<\/p>\n\n\n\n<p><a href=\"http:\/\/blog.nothinguntoward.eu\/wp-content\/uploads\/2015\/08\/pwgen-h\">pwgen-h<\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><pre class=\"brush: python; title: ; notranslate\" title=\"\">#!\/usr\/bin\/python3\nimport secrets,sys\ndictfile=open('wordlist')\ndictlist=&#x5B;]\nfor a_line in dictfile:\ndictlist.append(a_line)\nfor x in range(int(sys.argv&#x5B;1])):\nprint(secrets.choice(dictlist).strip(),end=\" \")\nprint(\"\")\n<\/pre><\/pre>\n\n\n\n<p>(edit: I&#8217;ve updated this as of Jan 2022: when I first wrote this, I used the python &#8220;random&#8221; module, which isn&#8217;t secure. Since then, the &#8220;secrets&#8221; module has been added to python from 3.6, which generates secure randomness, so I&#8217;ve updated it to use that)<\/p>\n\n\n\n<p>The name comes from the unix pwgen utility, but -h because it generates &#8220;human readable&#8221; passwords.<\/p>\n\n\n\n<p>It needs to be fed a file &#8220;<a href=\"https:\/\/blog.m0tei.co.uk\/wp-content\/uploads\/2015\/08\/wordlist\">wordlist<\/a>&#8221; containing one word per line for it to choose from. You can use mine (roughly the 5000 most common english words) or your own. It&#8217;s then invoked as pwgen-h num_of_words<\/p>\n\n\n\n<p>Example invocations and outputs:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">$ .\/pwgen-h 6\nstarting give progress limit accommodate code\n.\/pwgen-h 4\ngravity Latin convenience exclude<\/pre><\/pre>\n\n\n\n<p>The wordlist I used is about 5000 words, so a resulting 6-word password has an entropy of <img src='https:\/\/s0.wp.com\/latex.php?latex=6+%5Ctimes+log_2%7B5000%7D%3D73.7+&#038;bg=ffffff&#038;fg=000000&#038;s=0' alt='6 \\times log_2{5000}=73.7 ' title='6 \\times log_2{5000}=73.7 ' class='latex' \/> bits. That means that there are around <img src='https:\/\/s0.wp.com\/latex.php?latex=10%5E%7B22%7D+&#038;bg=ffffff&#038;fg=000000&#038;s=0' alt='10^{22} ' title='10^{22} ' class='latex' \/> possibilities to brute force. At a million guesses per second, it would take in the order of a billion years to check every possibility.<\/p>\n\n\n\n<p>This has the caveat though that you have to take the first password it offers you* for the working above to be valid. If you keep trying it until you see a password which you like, you&#8217;re reducing your entropy in a difficult to quantify way.<\/p>\n\n\n\n<p>*Or rather, don&#8217;t decide based on the output whether to use it. Of course, you can play around with it as much as you like, but you should decide which password you&#8217;re going to use before it&#8217;s generated for maximum security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Inspired by xkcd #936 (reproduced above, credit to xkcd), I threw together a quick python script to generate correct horse battery staple style passwords. pwgen-h: #!\/usr\/bin\/python3 import secrets,sys dictfile=open(&#8216;wordlist&#8217;) dictlist=&#x5B;] for a_line in dictfile: dictlist.append(a_line) for x in range(int(sys.argv&#x5B;1])): print(secrets.choice(dictlist).strip(),end=&#8221; &#8220;) print(&#8220;&#8221;) (edit: I&#8217;ve updated this as of Jan 2022: when I first wrote this, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-144","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=\/wp\/v2\/posts\/144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=144"}],"version-history":[{"count":9,"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions"}],"predecessor-version":[{"id":620,"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions\/620"}],"wp:attachment":[{"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nothinguntoward.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}