Closed EvansJahja closed 4 years ago
ghyde
commented
4 years ago I think this is a bad idea and poses a huge security risk. The purpose of a random password generator is that it's nondeterministic. You don't want an attacker to be able to regenerate your password.
For example, a user may use predictable seeds to create passwords for websites.
xkcdpass --seed="google.com"If I know your seed, I know your password.
EvansJahja
commented
4 years ago @ghyde This is true, but there are other applications that would benefit from seeds. For instance, testings could rely on deterministic seeds. other use would be for generating username for websites.
ghyde
commented
4 years ago What kind of testing would required deterministic seeds? Also, xkcdpass shouldn't be used to store or regenerate usernames or passwords. That should be managed somewhere else, like a password manager.
redacted
commented
4 years ago I'd rather not weaken the core logic if at all possible, even for legitimate reasons. However there are a couple of alternatives:
For testing might I suggest using a custom word list? It is fairly straightforward to constrain the generation logic to always return the same password that way (indeed the current tests take this approach).
Another alternative is to import the main script into your own code (see examples directory) and set python's seed yourself.
I think it will be nice if the program would take an initial seed for the random process, so that it is repeatable. Such that
xkcdpass --seed="random123"would always produce "bloated uncheck trance unless violator washboard" or something like that.There are many use case, such as generating easy to remember hash of a password, generating random words that associates to
xkcd.com/936, etc etc.Any way of making xkcdpass generate the words deterministic would be nice.