Hide

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again.

Delete that bloated snippets file you've been using and share your personal repository with the world. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.


If you have a new feature suggestion or find a bug, please get in touch via http://commandlinefu.uservoice.com/

Get involved!

You can sign-in using OpenID credentials, or register a traditional username and password.

First-time OpenID users will be automatically assigned a username which can be changed after signing in.

Hide

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:

Hide

News

2011-03-12 - Confoo 2011 presentation
Slides are available from the commandlinefu presentation at Confoo 2011: http://presentations.codeinthehole.com/confoo2011/
2011-01-04 - Moderation now required for new commands
To try and put and end to the spamming, new commands require moderation before they will appear on the site.
2010-12-27 - Apologies for not banning the trolls sooner
Have been away from the interwebs over Christmas. Will be more vigilant henceforth.
2010-09-24 - OAuth and pagination problems fixed
Apologies for the delay in getting Twitter's OAuth supported. Annoying pagination gremlin also fixed.
Hide

Tags

Hide

Functions

Generate an XKCD #936 style 4 word password

Terminal - Generate an XKCD #936 style 4 word password
shuf -n4 /usr/share/dict/words | tr -d '\n'
2011-08-10 13:04:39
User: Strawp
Functions: tr
21
Generate an XKCD #936 style 4 word password

4 random words are better than one obfuscated word

http://xkcd.com/936/

Alternatives

There are 2 alternatives - vote for the best!

Terminal - Alternatives
shuf -n4 /usr/share/dict/words | sed -e ':a;N;$!ba;s/\n/ /g;s/'\''//g;s/\b\(.\)/\u\1/g;s/ //g'
2011-08-11 19:49:21
User: vasti
Functions: sed
Tags: sed regex xkcd shuf
1

This is what I came up to generate XKCD #936 style four-word password.

Since first letter of every word is capitalized it looks a bit more readable to my eyes.

Also strips single quotes.

And yes - regex is a bit of a kludge, but that's the bes i could think of.

echo $(grep "^[^']\{3,5\}$" /usr/share/dict/words|shuf -n4)
2011-08-23 21:15:18
User: j_melis
Functions: echo grep
Tags: awk xkcd
1

The improvement of this command over Strawp's original alternative is that you can specify the size of the words, in this particular case words between 3 and 5 character's long. It also excludes words that contain apostrophes, if you'd rather keep those words simply substitue [^'] for .

jot 4 | awk '{ print "wc -l /usr/share/dict/words | awk '"'"'{ print \"echo $[ $RANDOM * $RANDOM % \" $1 \"]\" }'"'"' | bash | awk '"'"'{ print \"sed -n \" $1 \"p /usr/share/dict/words\" }'"'"' | bash" }' | bash | tr -d '\n' | sed 's/$/\n/'
2011-08-16 00:26:56
User: fathwad
Functions: awk bash sed tr
Tags: tr xkcd
0

So I use OSX and don't have the shuf command. This is what I could come up with.

This command assumes /usr/share/dict/words does not surpass 137,817,948 lines and line selection is NOT uniformly random.

shuf /usr/share/dict/words |grep "^[^']\{3,5\}$" |head -n4
2011-08-24 03:43:55
User: menachem
Functions: grep head
Tags: awk xkcd
0

This does the same thing that the command 'j_melis' submitted, but does it a lot quicker.

That command takes 43 seconds to complete on my system, while the command I submitted takes 6 seconds.

perl -F'\s+' -anE 'push @w,$F[1];END{$r.=splice @w,rand @w,1 for(1..4);say $r}' diceware.wordlist.asc

Know a better way?

If you can do better, submit your command here.

What others think

Unfortunately, Randall Munroe doesn't understand entropy from information theory. The definition is clearly defined as H=L*log_2(N), where H is the amount of entropy in binary bits, L is the length of the message, log_2() is the log base 2, and N is the total possible characters available given the set of characters in the password.

Thus, "Tr0ub4d0r&3" has 78-bits of entropy, and "correcthorsebatterystable" has 117-bits of entropy.

Comment by atoponce 168 weeks and 1 day ago

Sadly, his reasoning is flawed as well, as discussed in great detail here... http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html

Comment by costa24 168 weeks and 1 day ago

If you're going to downvote this, don't do it because the idea that inspired it is flawed. For what it's supposed to do, it does it well, and could be used for a non-flawed idea.

Sadly, 'shuf' is not installed on every machine. It should be. Some later editions of GNU sort have a '-R option, so you could use 'sort -R /usr/share/dict/words |head -4 |' instead... but not every distro has up-to-date version of GNU sort, either. For example, I can see both are missing from RHEL / CentOS 5.6

Comment by Mozai 168 weeks and 1 day ago

Thus, the reason it was downvoted by me. shuf(1) isn't portable across all Unices. However, last I checked, I didn't need to explain why I voted one way or the other.

Comment by atoponce 168 weeks and 1 day ago

Ah, I see. I've always aimed for brevity in commands whereas I see here we're aiming for universally supported, core function based commands. I did wonder about some of my previous submissions...

Comment by Strawp 168 weeks and 1 day ago

@atoponce: I'ts *generally* a good practice to comment and explain whenever you vote down.

Comment by parga_nanbat 168 weeks and 1 day ago

Man that troy hunt guy is super verbose... but after skimming the article I don't see where he says Munroe's idea is flawed. The closest thing would be that Munroe doesn't specify that the total number of characters is important, not using the 4 words. The 4 words are just a convenient way to get a decent number of characters that are easy to remember. All lower case alpha is perfectly fine as long as its long enough. Do the math.

The biggest flaw I see is that if an attacker knows you use 4 words like this it will make your password easy to brute force.

Comment by eikenberry 168 weeks ago

I think some of you missed the point Randall was making.

@atoponce: your equation for entropy is only true for a string which doesn't exhibit "inter-symbol memory" (each character is random and unrelated to adjacent characters). A password based on a word does have inter-symbol memory, so you have to consider the entire word as a single symbol, and N becomes the list of words it was drawn from. Randall apparently came up with a list of 64 thousand words (16 bits). The additional bits show the likely ways those 64k base words are typically obfuscated, so you effectively have a single symbol drawn from 256 million possible values (28 bits).

For the 'secure' password, my dictionary file has 98,569 words, so using your equation: H = L*log_2(N) = 4*log_2(98569) = 66 bits.

@eikenberry: It's more conservative to consider each word as a 'symbol', so instead of a 25-symbol string with 4.7 bits each (26 different letters), you have a string of 4 symbols with 16.5 bits each. So, it doesn't matter if you tell the attacker that you used this command to generate the password, because he still has 2^66 combinations to try which would take 2.3 billion years to try based on the rates Randall is using (he might get lucky and find the answer in ~1 billion years).

An important point (the Troy mentions also), is that these rates only apply to brute force attacks via a web interface. I wouldn't use any of these for a Truecrypt volume or any other local or offline system that doesn't inherently limit the attempt rate.

Comment by __ 168 weeks ago

Randall himself has discussed this a little:

.

https://plus.google.com/111588569124648292310/posts/6yrDxQcyjuW

.

http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so#2779020

.

Comment by __ 168 weeks ago

Your point of view

You must be signed in to comment.

Related sites and podcasts