Overview

This is an implementation of the pwqgen "random" password generation algorithm. It is loosely derived from the C version in passwdqc. See see http://www.openwall.com/passwdqc/

This is not a particularly well polished piece software. I wrote it because I needed it and am sharing it because it might be useful to others.

pwqgen run with the defaults give 64 bits of entropy sourced from Sysrandom (see https://rubygems.org/gems/sysrandom/versions/1.0.3)

Command Line Tool

pwqgen has the following options:

-k, --key STRING                 use hmac generator. key from /home/xyzzy/.skey
-p, --prompt-key STRING          use hmac generator. key from prompt
-n, --numeric-separators         use restricted separator list - numbers only
-s, --never-capitalize           never capitalize
-l, --length LENGTH              length of passphrase in words (minimum 3)
-b, --bits LENGTH                approximate desired entropy (overrides -l)
-v, --version                    send version number to stdout
-h, --help                       Show this message

HMAC quasi-random number generation

This -k option and -p options are experimental and need some explanation. They use key material from ~/.skey or a prompted key and generate a predictable quasi-random stream based on the string passed to -k/-p. If you use this option, you should attempt to keep the key material in ~/.skey or typed into the prompt secret. It uses 100,000 iterations of SHA512 HMAC to do this (see class Pwqgen::FakeRandom in lib/pwqgen.rb)

You can also specify the environment variable SKEYFILE to override the default key file location of ~/.skey

With this appraoch "pwqgen -k bob" will always give the same string. You could then use pwqgen instead of a password safe by generating predictable random-looking passwords. I'm not necessarily recommending this.

e.g. "pwqgen -k somesite.com" or "pwqgen -p somesite.com" could be used to generate the password for somesite.com

Requirements

  • sysrandom gem (you can change the code to use SecureRandom, but this is probably not a great idea)
  • highline gem (for -p option)
  • ruby version >= 2.1

TODO

  • man page
  • validate the FakeRandom approach to keyed quasi-random generation. It is probably fine as a simple HMAC as long as one doesn't use more than 512 bits.

Build

Building the gem is standard:

    gem build pwqgen.gemspec

Then you can install it with

    gem install

or use the Rakefile/Gemfile

    gem install bundler
    bundle install
    bundle exec rake

Usage

Other than the command line interface, you can also call this functionality by calling Pwqgen.pwqgen.

There are four named parameters.

n_words - Integer. Number of words used. This is required.

random_generator - Proc or method reference - this should yield a string with n bytes when n is passed in. Default is to use Sysrandom.random_bytes

separators - separators for use between words. Default is Pwqgen::SEPARATORS. Must be an array of one character strings of length = 2**n for some n between 0 and 12

random_capitalize - Boolean - whether or not to "randomly" capitalize words. Default is true.

Examples

        require 'pwqgen'
        require 'securerandom'  # only for the second and third

        # Five words. Default behaviour
        puts Pwqgen.pwqgen(n_words: 5)

        # use Securerandom instead of Sysrandom and with custom separators
        puts Pwqgen.pwqgen(n_words: 5, 
        random_generator: SecureRandom.method(:random_bytes),
        random_capitalize: false,
        separators: %w(2 3 4 |)
        )
        # OR
        puts Pwqgen.pwqgen(n_words: 5,
        random_generator: proc { |x| SecureRandom.random_bytes(x) },
        random_capitalize: false,
        separators: %w(2 3 4 |)
        )

        # produces "adam-adam-adam-adam" as the random generator always returns 0
        puts Pwqgen.pwqgen(n_words: 4, random_generator: proc { |x| "\000" * x })