[aur-requests] [PRQ#7832] Deletion Request for correcthorse

notify at aur.archlinux.org notify at aur.archlinux.org
Sat Apr 1 21:13:33 UTC 2017


dinghy [1] filed a deletion request for correcthorse [2]:

This software does use actual randomness. The correcthorse algorithm
needs perfect randomness and non-reproducibility to create secure
passwords (as does any password generator, in fact).
But THIS IMPLEMENTATION HAS A FLAW: successive commands within about a
second generate the same password. This implementation is therefore
time-based and not making use of /dev/(u)random.
Proof: the following is [ENTER]+[UP] as fast as possible.
~  correcthorse
goneededpurposewhy
~  correcthorse
unusualgovernmentgirlyesterday
~  correcthorse
unusualgovernmentgirlyesterday
~  correcthorse
unusualgovernmentgirlyesterday
~  correcthorse
unusualgovernmentgirlyesterday
~  correcthorse
unusualgovernmentgirlyesterday
~  correcthorse
weakhispleasantthey
~  correcthorse
weakhispleasantthey
~  correcthorse
weakhispleasantthey
~  correcthorse
weakhispleasantthey
~  correcthorse
weakhispleasantthey
~  correcthorse
johnnyparallelrecognizenumeral

The AUR package pwgen-passphrase does the same and also originates
from the correcthorse concept, but uses proper randomness.

[1] https://aur.archlinux.org/account/dinghy/
[2] https://aur.archlinux.org/pkgbase/correcthorse/


More information about the aur-requests mailing list