Hello folks,
As per title, I am looking for a password generation library. I found a couple, among which is https://github.com/rustomax/nim-passgen
Any recommendations?
Why not just use sysrand.urandom to get some random bytes and encode them with base16 or in a hexadecimal string? I.e.
urandom(50).mapIt(it.toHex()).join("")Why not just use sysrand.urandom to get some random bytes and encode them with base64 or in a hexadecimal string?
Flexibility and elegance. You may want special chars, base64 is case sensitive and has weird padding, hex gets long quickly, base32 is okay but you have to write it yourself and it's still limited to lowercase alphanumeric.
You could, if you are so inclined, write an encoder you can pass an arbitrary string of unique characters and some bytes to, and benchmark it against the .sample approach. That would make a neat library. Personally I prefer the one liner because it's so easy to adapt if needed.
https://nim-lang.org/docs/random.html says "Do not use this module for cryptographic purposes!". xoroshiro128 is NOT Cryptographically secure pseudorandom number generator.
Rand has only 128bits status and it has 2^128 - 1 period. So it can generate only 2^128 - 1 different passwords.
If you use 64 (=2^6) characters to generate passwords with pure random number, when the length of it is longer than 22, it can generate more than 2^(6 * 22) = 2^132 different passwords. If you use random module, you don't get stronger passwords even if its length is longer than 22.
If you randomize the internal state of Rand only once and generate multiple passwords and give them to multiple persons, one of them can guess the internal status of Rand only from one given password. It is possible to get all generated passwords from the one internal state used to generate passwords. CSPRNG is designed to prevent such an attack.
I'd say agree to disagree. The requirements you listed make little sense to me unless you write a password-store like KeePass which come with password-generators that want this kind of flexibility.
Particularly since std/random has issues for usage in security-relevant contexts. And it's not like the sysrand example is complex either.
Hey! I recently updated my password script due to a Chrome update that wiped out my saved passwords. The script is user-friendly and allows you to define password classes with minimum requirements. You can set a minimum requirement for each class, use -1 to exclude a class, or leave it empty to make it optional. There are parameters for custom symbols and excluded characters.
There are a couple of issues that weren't addressed in this thread:
I hope my code addresses all issues.
Example:
# Example of generating a default password
echo "Default Password: ", generateDefaultPassword()
# Paypal only allows: !"#$%&()*+=@\^~
let paypalSpecials = {'!', '"', '#', '$', '%', '&', '(', ')', '*', '+', '=', '@', '\\', '^', '~'}
# Example of generating a PayPal-compliant password with specific special characters
echo "PayPal-Compliant Password: ", generatePassword(newPasswordOptions(
requirements = {ccSpecials: 1},
specialChars = paypalSpecials
))
try:
# Example of generating a custom password with specific requirements and excluded characters
let customOpts = newPasswordOptions(
length = 20,
requirements = {ccUppercase: 3, ccLowercase: 3, ccDigits: 3, ccSpecials: -1},
excludedChars = {'O', '0', '1', 'l', 'Z', '2'} # Example of excluded characters
)
echo "Custom Password: ", generatePassword(customOpts)
except ValueError: # By default retries 100 times before failing, was the easiest way to implement.
discardhere are a sample code that generate a 17 password long, u can change the length of password, this code use special character and alphnumeric (a-z,A-Z,0-9)
import std/[sequtils, strutils, random]
var see = IdentChars + PunctuationChars
# IdentChars: alphnum and _
randomize() # to make new password (or new choice) each time we run this code
echo newSeqWith(17, sample(see)).join()If you're interested in using a diceware password (or more corectly passphrase) generator, I have one that I wrote some time ago and use all the time: https://github.com/nealie/dicepass
Apparently a passphrase is much easier to remember and harder to crack than a traditional password. Diceware is a method for generating one.