Password Generator (opens in new tab)

(beta.browxy.com)

7 pointsdbremmen6y ago42 comments

42 comments

This generates the password on a server you don't control.

I recommend not using it.

Using 'tr -dc A-Za-z0-9 < /dev/urandom | head -c $length' is more secure and available on your linux or osx machine even more easily than waiting a second for a server to run some java off in a magic black box.

iudqnolq6y ago

You can also try indexing into /usr/share/dict/words for a correcthorsebatterystaple-style password. I'm sure there's a cute on-liner, I did it in Python because that took a lot less time than all the man page searching how to do it with Unix text processing tools would have taken.

Yes, it would be better to remember random characters of the same length. But most people don't. I personally have one password I use to sign into 1password and a small other set of critical services, and longer random passwords for everything else. I personally don't worry about nation state adversaries so I can make myself less vulnerable to mass automated attacks and targeted attacks by non-experts. It's important to remember not to let perfect be the enemy of the good, and important not to discount the cost of DOSing yourself. I reduced my security after I lost access to something of value.

archgoon6y ago

shuf -n 4 /usr/share/dict/words | tr '\n' ' ' && echo

1 more reply

TheDong6y ago

Your cute one-liner for 4 words:

sort --random-sort /usr/share/dict/words | head -n 4 | tr -d '\n'

You may wish to omit words that have "'" characters, in which case you may throw in a grep -v "'" after the sort.

1 more reply

anon90016y ago

Here's a perl one for fun :)

  perl -MList::Util=shuffle -0ane 'print ((shuffle @F)[0..3],"\n")' < /usr/share/dict/words

1 more reply

majewsky6y ago

You might be interested in https://github.com/laerling/xkcdget, the correcthorsebatterystaple-type version of my own https://github.com/majewsky/pwget.

1 more reply

archgoon6y ago

If you get "tr: Illegal byte sequence" you can prepend 'LC_ALL=C ' before the 'tr' to prevent tr from trying to treat the stream as a unicode sequence.

aarreedd6y ago

This isn't a great site or anything and you're right that password should be generated client-side. But not everyone is one Linux or Mac and sometimes it's just easier to Google "password generator" than remembering that command.

Your comment reminds me of the infamous Dropbox comment: https://news.ycombinator.com/item?id=9224

TheDong6y ago

There are plenty of actually secure and usable password generators, such as the one integrated with keepass / 1password / etc.

I'm sure there are secure websites to do it too. This isn't it though.

The dropbox comment isn't relevant. It's a bias to say "I remember this thing was criticized in a similar way but succeeded" and map that on to "so other criticisms aren't valid".

It's far more often than things seem unlikely to succeed to critics, and then quietly fail than that things seem unlikely to succeed to critics, but then succeed. After all, almost everything ever made doesn't see widespread success.

Our brain does remember the latter cases more, and that leads to the bias.

I see it most commonly with the phrase "X started out small too" as a defence for why something small will grow to something big, when in reality that's cherry picking massively.

1 more reply

pvg6y ago

Password managers and browsers themselves can generate passwords. Generating passwords with a website it a terrible idea, googling "password generator" and going to some random website is an even worse variant of the same idea.

1 more reply

dbremmenOP6y ago

Yes you right I just created this password generator for fun in the browxy online compiler. The UI is auto-generated with a tool that the site provide. I'm just curious why this tool caused so many interest and wondering what other tools can be built that cause this type of interest...

SomewhatLikely6y ago

I'm a fan of the apg linux command because it generates somewhat phonetically prounceable passwords and of course runs locally. https://help.ubuntu.com/community/StrongPasswords#APG

oeuviz6y ago

I created something similar ~2 decades ago in perl. It would spit out a long list of passwords in text format so you could chose one without the server knowing what you chose.

Today, keepass does the job just fine.

oefrha6y ago

Instead of a search space of 1 you augmented it to N which is likely <= 2^10. Still a pretty terrible idea to trust a password like that.

oeuviz6y ago

I agree, however, it ran on our own server so it was OK-ish.

dbremmenOP6y ago

That's a nice idea! I just created this password generator for fun like other utilities in java but I don't know just this one generated so many interest. You can see the source code using the button to the bottom right (the one that has 1's and 0's)

ozgrozer6y ago

A better version of this might be https://piper.gq/ that I made last month.

dbremmenOP6y ago

Thanks for all the nice comments that are intended with good karma. What other feature can I add to this password generator that is useful? I agree that using linux is more secure but for passwords that are not as important I think this tool works fine, also you don't need to remember a big line of code and you can execute it on your mobile phone

tobr6y ago

It seems surprisingly complicated. Why is there a “start” and “stop” button? Why does it take so long for it to generate a random string? Why is there a “console” that just seems to show the page template?

dbremmenOP6y ago

You right! Console and stop button are not necessary. The UI is generated with a UI creation tool that match program arguments with UI widgets (see: https://ibb.co/phQQFxr). In this case there is an option missing to don't show the stop button and the console (These are shown due that you can create interactive programs with browxy)

known6y ago

I use

</dev/urandom tr -dc 23456789~*@#$%_+-=qwertQWERTasdfgASDFGzxcvbZXCVB | head -c13; echo ""

j / k navigate · click thread line to collapse

42 comments

TheDong6y ago

This generates the password on a server you don't control.

I recommend not using it.

iudqnolq6y ago

archgoon6y ago

shuf -n 4 /usr/share/dict/words | tr '\n' ' ' && echo

1 more reply

TheDong6y ago

Your cute one-liner for 4 words:

sort --random-sort /usr/share/dict/words | head -n 4 | tr -d '\n'

You may wish to omit words that have "'" characters, in which case you may throw in a grep -v "'" after the sort.

1 more reply

anon90016y ago

Here's a perl one for fun :)

  perl -MList::Util=shuffle -0ane 'print ((shuffle @F)[0..3],"\n")' < /usr/share/dict/words

1 more reply

majewsky6y ago

You might be interested in https://github.com/laerling/xkcdget, the correcthorsebatterystaple-type version of my own https://github.com/majewsky/pwget.

1 more reply

archgoon6y ago

If you get "tr: Illegal byte sequence" you can prepend 'LC_ALL=C ' before the 'tr' to prevent tr from trying to treat the stream as a unicode sequence.

aarreedd6y ago

Your comment reminds me of the infamous Dropbox comment: https://news.ycombinator.com/item?id=9224

TheDong6y ago

There are plenty of actually secure and usable password generators, such as the one integrated with keepass / 1password / etc.

I'm sure there are secure websites to do it too. This isn't it though.

The dropbox comment isn't relevant. It's a bias to say "I remember this thing was criticized in a similar way but succeeded" and map that on to "so other criticisms aren't valid".

Our brain does remember the latter cases more, and that leads to the bias.

I see it most commonly with the phrase "X started out small too" as a defence for why something small will grow to something big, when in reality that's cherry picking massively.

1 more reply

pvg6y ago

1 more reply

dbremmenOP6y ago

SomewhatLikely6y ago

I'm a fan of the apg linux command because it generates somewhat phonetically prounceable passwords and of course runs locally. https://help.ubuntu.com/community/StrongPasswords#APG

oeuviz6y ago

I created something similar ~2 decades ago in perl. It would spit out a long list of passwords in text format so you could chose one without the server knowing what you chose.

Today, keepass does the job just fine.

oefrha6y ago

Instead of a search space of 1 you augmented it to N which is likely <= 2^10. Still a pretty terrible idea to trust a password like that.

oeuviz6y ago

I agree, however, it ran on our own server so it was OK-ish.

dbremmenOP6y ago

ozgrozer6y ago

A better version of this might be https://piper.gq/ that I made last month.

dbremmenOP6y ago

tobr6y ago

dbremmenOP6y ago

known6y ago

I use

</dev/urandom tr -dc 23456789~*@#$%_+-=qwertQWERTasdfgASDFGzxcvbZXCVB | head -c13; echo ""

j / k navigate · click thread line to collapse