Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Diceware wordlists in numbered and/or PGP-signed formats #6791

Conversation

snipfoo
Copy link
Contributor

@snipfoo snipfoo commented Aug 1, 2021

Rationale

This allows one to directly use Diceware-compatible wordlists without having to convert the file to the plain wordlist format.

The accepted formats are described in the Diceware documentation: https://diceware.readthedocs.io/en/stable/wordlists.html.

Testing strategy

Tested with several wordlists from https://github.com/ulif/diceware/tree/master/diceware/wordlists. In particular, tested with a numbered wordlist (wordlist_en_eff.txt), a PGP-signed wordlist (wordlist_en_securedrop.asc) and a PGP-signed numbered wordlist (wordlist_en_orig.asc).

Type of change

  • ✅ New feature (change that adds functionality)

This allows one to directly use Diceware-compatible wordlists
without having to convert the file to the plain wordlist format.

The accepted formats are described in the Diceware documentation:
https://diceware.readthedocs.io/en/stable/wordlists.html
@droidmonkey
Copy link
Member

droidmonkey commented Aug 1, 2021

What is the point of using a signed wordlist if you don't check the signature? The signed lists are terrible as well since they have "words" that are 1 to 4 letters in length.

@snipfoo
Copy link
Contributor Author

snipfoo commented Aug 1, 2021

Hi,

Thanks for the feedback!

There are many wordlists outside of those distributed with Diceware, especially for other languages (e.g., diceware-wordlists-fr). The idea is that Diceware set a kind of de facto standard format for these wordlists (i.e., plain, PGP-signed and/or numbered), and that most of the wordlists that exist use this format. The idea here is to have the possibility to use these wordlists with KeePassXC without having to edit them to remove the PGP signature or the numbers (which can be quite a hassle and error-prone for users unfamiliar/unconfortable with editing large text files).

Verifying the PGP signature of a signed wordlist would be great, for sure, but, as is, KeePassXC requires the user to remove the signature altogether if they want to use this wordlist to generate a passphrase. At least, allowing KeePassXC to read signed wordlists allows the user to use the file as a drop-in replacement for eff_large.wordlist without having to remove the signature, and they can always manually verify the signature themself using GnuPG.

Actually, this is on par with Diceware's behavior, which does not verify the PGP signature either (see here):

Signed wordlists can be verified to detect changes, although this is not automatically done by diceware.

Therefore, I see this as simply increasing KeePassXC's compatibility with existing wordlists, without changing its normal behavior.

But if you think that this would help clarifying the situation, I can always write a caveat in the keepassxc-cli manpage stating that the PGP signature of the wordlist will not be verified.

Cheers!
SnipFoo

@droidmonkey
Copy link
Member

droidmonkey commented Aug 1, 2021

Yes that is an important caveat similar to what diceware themselves wrote. Otherwise I don't have any grief with expanding the options pool.

@snipfoo
Copy link
Contributor Author

snipfoo commented Aug 1, 2021

Great, thanks for the quick reply!

d2cdef8 is a first try at documenting this in the keepassxc-cli manpage.

Cheers!
SnipFoo

@droidmonkey droidmonkey merged commit e660802 into keepassxreboot:develop Oct 2, 2021
@droidmonkey droidmonkey added this to the v2.7.0 milestone Oct 2, 2021
@phoerious phoerious added pr: new feature Pull request that adds a new feature and removed new feature labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pr: new feature Pull request that adds a new feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants