#PSA: The latest release of #pass 1.7.2 fixed a fairly major security hole: In prior versions, if an attacker could write to your ~/.password-store directory, they could exploit a bug in pass' regex to add a new GPG key, potentially granting access to the passwords.
Though rare, it's worth updating ASAP.
I'd rather type it as st?UY?ld?ST?le?DT?507 because there's less chance of making a typo.
Well, your dictionary is probably bigger than 256 words, so maybe some more variation in case and special chars would be needed to compensate, but still, I prefer using a word as a mnemonic for 1-3 characters rather than typing the whole word.
So (since the search space grows exponentially) to get the same/better security you'd need 10 words. Would `st?UY?ld?ST?le?DT?ay?PO?tg?LD?507` still be easier to type?
Maybe it would, but I'd think it'd be harder to say and up the odds of typos.
Nevertheless, it's worth thinking about how pass-gen could support the use of mnemonics. I'll put some thought into it for a future version
(It got started when I was logging onto a service on my phone that (inexplicably) wouldn't let me paste a password, which is bad security practice but still happens. But there are lots of other times when typing/saying might be required, including working with a computer that without your passwords on it or verifying your identity over the phone)
is still easier to type I think.
If I want to say it, I say the full words, not just the letters that I type.
Also, I'll probably never want to say it aloud, because then someone other than me could hear it :P
Also, once it's easier to get such a password into muscle memory than it is with a password containing full words.
@Wolf480pl @octobyte Hmm, our muscle memory must work differently! I have a much easier time typing out full words that are part of my normal vocabulary than I do typing out (even short) strings of characters that don't form words.
In any event, you've convinced me to add support for some sort of mnemonic-based system. I'll let you know when I've added it.
@teqwve Yeah, I tend to agree—it's one of those "this is a vulnerability, but probably only applies if you were already in trouble" issues. (I tend to put any hack that requires extended physical access to your computer in that bucket, too).
That said, there is a use-case of people syncing their ~/.password-store directory across multiple computers using Nextcloud/dropbox/etc. (or even GitHub, if they don't consider their usernames private). So, the vulnerability would matter more to them