: The latest release of 1.7.2 fixed a fairly major security hole: In prior versions, if an attacker could write to your ~/.password-store directory, they could exploit a bug in pass' regex to add a new GPG key, potentially granting access to the passwords.

Though rare, it's worth updating ASAP.

Update here:

NOTE: this bug does *not* impact my -gen project, which remains the most secure way to generate passwords.

so you're saying pass-gen generates passwords like


I'd rather type it as st?UY?ld?ST?le?DT?507 because there's less chance of making a typo.
Well, your dictionary is probably bigger than 256 words, so maybe some more variation in case and special chars would be needed to compensate, but still, I prefer using a word as a mnemonic for 1-3 characters rather than typing the whole word.


@Wolf480pl @octobyte@tuxspace.net Yes, the current pass-gen default dictionary is bigger than 256 words—it's 8,429 :D

So (since the search space grows exponentially) to get the same/better security you'd need 10 words. Would `st?UY?ld?ST?le?DT?ay?PO?tg?LD?507` still be easier to type?

Maybe it would, but I'd think it'd be harder to say and up the odds of typos.

Nevertheless, it's worth thinking about how pass-gen could support the use of mnemonics. I'll put some thought into it for a future version

@codesections @octobyte
is still easier to type I think.
If I want to say it, I say the full words, not just the letters that I type.
Also, I'll probably never want to say it aloud, because then someone other than me could hear it :P
Also, once it's easier to get such a password into muscle memory than it is with a password containing full words.

@Wolf480pl @octobyte@tuxspace.net Hmm, our muscle memory must work differently! I have a much easier time typing out full words that are part of my normal vocabulary than I do typing out (even short) strings of characters that don't form words.

In any event, you've convinced me to add support for some sort of mnemonic-based system. I'll let you know when I've added it.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.