Skip to main content

A thinking meat reshared this.


I was today years old when I learned that when inputting a password that doesn't echo on the terminal, I can usually hit CTRL-U to clear the password if I mistype instead of spamming the backspace key to be sure I've got it all. #LinuxTips
in reply to Jonathan Lamothe

@Jonathan Lamothe Unless your password field eats control characters.

Worse if your password contains a Control+U

in reply to silverwizard

@silverwizard True, but none of my passwords do. They're all base64 encoded randomness.
in reply to silverwizard

@silverwizard Yes, with some rules in place to ensure individual sites' password policies are observed, namely minimum number of upper/lower case letters, numbers and whether or not special characters are allowed/required. It limits the potential charactes used, but the entropy can be made up with longer passwords. The default settings give me 96 bits of entropy, which is... probably fine.
in reply to Jonathan Lamothe

@Jonathan Lamothe But it means that if one password is compromised your system is compromised - rather than using a sha or whatever so that it's just garbage?
in reply to silverwizard

@silverwizard @Jonathan Lamothe No, the password itself is a long base64 string if I understand correctly. There’s no underlying cleartext password, it’s just noise encoded.
in reply to Hypolite Petovan

@Hypolite Petovan @Jonathan Lamothe Sure - if it's a random string that is then base64ed that's reasonable - but that kinda defeats the purpose of the base64

I just hash a master password and a slug and use the hash

in reply to silverwizard

@silverwizard @Hypolite Petovan Given the number of password policies that don't allow non-ASCII, it seemed a reasonable workaround.
in reply to Hypolite Petovan

@Hypolite Petovan Yes. It's just converting random noise into something tat can be represented in ASCII. This is the full implementation:
https://hackage.haskell.org/package/passman
in reply to Jonathan Lamothe

Just noticed that this had some outdated documentation (e.g.: still pointed to GitHub as the authoritative source repository). I've just updated that, and brought the dependencies up to versions that are in the latest stackage LTS resolver while I was in there. I should be more mindful of bit rot in my old repositories.

This website uses cookies. If you continue browsing this website, you agree to the usage of cookies.