ohmyzsh/plugins/genpass/genpass-xkcd

69 lines
1.7 KiB
Plaintext
Raw Permalink Normal View History

fix(genpass): improve performance and usability and fix bugs (#9520) *Bugs* The following bugs have been fixed: - All generators ignored errors from external commands. For example, if `/usr/share/dict/words` was unreadable, `genpass-xkcd` would print "0-" as a password and return success. - All generators silently ignored the argument if it wasn't a number. For example, `genpass-apple -2` was generating one password and not printing any errors. - All generators silently ignored extra arguments. For example, `genpass-apple -n 2` was generating one password and not printing any errors. - `genpass-xkcd` was generating passwords with less than 128 bits of security margin in contradiction to documentation. The smaller the dictionary size, the weaker the passwords it was generating. For a dictionary with 27 words, `genpass-xkcd` was generating passwords with 93 bits of security margin (`log2(27!)`). - The source of random data used by `genpass-xkcd` was not cryptographically secure in contradiction to documentation. See: https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html - `genpass-apple` could generate a password with non-ascii characters depending on user locale. For example, passwords could contain 'İ' for users with Turkish locale. - `genpass-apple` didn't work with `ksh_arrays` shell option. - `genpass-xkcd` was printing spurious errors with `ksh_arrays` shell option. - `genpass-xkcd` was producing too short (weak) or too strong (long) and/or printing errors when `IFS` was set to non-default value. - All generators were printing fewer passwords than requested and returning success when passed a very large number as an argument. *Usability* Generators are now implemented as self-contained executable files. They can be invoked from scripts with no additional setup. Generators no longer depend on external commands. The only dependencies are `/dev/urandom` and, for `genpass-xkcd`, `/usr/share/dict/words`. All generators used to silently ignore all arguments after the first and the first argument if it wasn't a number. For example, both `genpass-apple -2` and `genpass-apple -n 2` were generating one password and not printing any errors. Now these print an error and fail. *Performance* The time it takes to load the plugin has been greatly reduced. This translates into faster zsh startup when the plugin is enabled. Incidentally, two generators out of three have been sped up to a large degree while one generator (`genpass-xkcd`) has gotten slower. This is unlikely to matter one way or another unless generating a very large number of passwords. In the latter case `genpass-xkcd` is now also faster than it used to be. The following table shows benchmark results from Linux x86-64 on i9-7900X. The numbers in the second and third columns show how many times a given command could be executed per second. Higher numbers are better. command | before (Hz) | after (Hz) | speedup | ----------------------------|------------:|-----------:|--------:| `source genpass.plugin.zsh` | 4810 | 68700 | +1326% | `genpass-apple` | 30.3 | 893 | +2846% | `genpass-monkey` | 203 | 5290 | +2504% | `genpass-xkcd` | 34.4 | 14.5 | -58% | `genpass-xkcd 1000` | 0.145 | 0.804 | +454% |
2020-12-16 15:57:59 +00:00
#!/usr/bin/env zsh
#
# Usage: genpass-xkcd [NUM]
#
# Generate a password made of words from /usr/share/dict/words
# with the security margin of at least 128 bits.
#
# Example password: 9-mien-flood-Patti-buxom-dozes-ickier-pay-ailed-Foster
#
# If given a numerical argument, generate that many passwords.
#
# The name of this utility is a reference to https://xkcd.com/936/.
emulate -L zsh -o no_unset -o warn_create_global -o warn_nested_var -o extended_glob
if [[ ARGC -gt 1 || ${1-1} != ${~:-<1-$((16#7FFFFFFF))>} ]]; then
print -ru2 -- "usage: $0 [NUM]"
return 1
fi
zmodload zsh/system zsh/mathfunc || return
local -r dict=/usr/share/dict/words
if [[ ! -e $dict ]]; then
print -ru2 -- "$0: file not found: $dict"
return 1
fi
# Read all dictionary words and leave only those made of 1-6 characters.
local -a words
words=(${(M)${(f)"$(<$dict)"}:#[a-zA-Z](#c1,6)}) || return
if (( $#words < 2 )); then
print -ru2 -- "$0: not enough suitable words in $dict"
return 1
fi
if (( $#words > 16#7FFFFFFF )); then
print -ru2 -- "$0: too many words in $dict"
return 1
fi
# Figure out how many words we need for 128 bits of security margin.
# Each word adds log2($#words) bits.
local -i n=$((ceil(128. / (log($#words) / log(2)))))
fix(genpass): improve performance and usability and fix bugs (#9520) *Bugs* The following bugs have been fixed: - All generators ignored errors from external commands. For example, if `/usr/share/dict/words` was unreadable, `genpass-xkcd` would print "0-" as a password and return success. - All generators silently ignored the argument if it wasn't a number. For example, `genpass-apple -2` was generating one password and not printing any errors. - All generators silently ignored extra arguments. For example, `genpass-apple -n 2` was generating one password and not printing any errors. - `genpass-xkcd` was generating passwords with less than 128 bits of security margin in contradiction to documentation. The smaller the dictionary size, the weaker the passwords it was generating. For a dictionary with 27 words, `genpass-xkcd` was generating passwords with 93 bits of security margin (`log2(27!)`). - The source of random data used by `genpass-xkcd` was not cryptographically secure in contradiction to documentation. See: https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html - `genpass-apple` could generate a password with non-ascii characters depending on user locale. For example, passwords could contain 'İ' for users with Turkish locale. - `genpass-apple` didn't work with `ksh_arrays` shell option. - `genpass-xkcd` was printing spurious errors with `ksh_arrays` shell option. - `genpass-xkcd` was producing too short (weak) or too strong (long) and/or printing errors when `IFS` was set to non-default value. - All generators were printing fewer passwords than requested and returning success when passed a very large number as an argument. *Usability* Generators are now implemented as self-contained executable files. They can be invoked from scripts with no additional setup. Generators no longer depend on external commands. The only dependencies are `/dev/urandom` and, for `genpass-xkcd`, `/usr/share/dict/words`. All generators used to silently ignore all arguments after the first and the first argument if it wasn't a number. For example, both `genpass-apple -2` and `genpass-apple -n 2` were generating one password and not printing any errors. Now these print an error and fail. *Performance* The time it takes to load the plugin has been greatly reduced. This translates into faster zsh startup when the plugin is enabled. Incidentally, two generators out of three have been sped up to a large degree while one generator (`genpass-xkcd`) has gotten slower. This is unlikely to matter one way or another unless generating a very large number of passwords. In the latter case `genpass-xkcd` is now also faster than it used to be. The following table shows benchmark results from Linux x86-64 on i9-7900X. The numbers in the second and third columns show how many times a given command could be executed per second. Higher numbers are better. command | before (Hz) | after (Hz) | speedup | ----------------------------|------------:|-----------:|--------:| `source genpass.plugin.zsh` | 4810 | 68700 | +1326% | `genpass-apple` | 30.3 | 893 | +2846% | `genpass-monkey` | 203 | 5290 | +2504% | `genpass-xkcd` | 34.4 | 14.5 | -58% | `genpass-xkcd 1000` | 0.145 | 0.804 | +454% |
2020-12-16 15:57:59 +00:00
{
local c
repeat ${1-1}; do
print -rn -- $n
repeat $n; do
while true; do
# Generate a random number in [0, 2**31).
local -i rnd=0
repeat 4; do
sysread -s1 c || return
(( rnd = (~(1 << 23) & rnd) << 8 | #c ))
done
# Avoid bias towards words in the beginning of the list.
(( rnd < 16#7FFFFFFF / $#words * $#words )) || continue
print -rn -- -$words[rnd%$#words+1]
break
done
done
print
done
} </dev/urandom