What I would change about App::Genpass

If there is one thing that is more abundant than Hello World programs, it is password generators. Yet, one of the things I could never get right when working on my system administration job (all of them) was comfortable password generation.

There were various methods I've learned from people:

  • The lazy way: "1q2w3e", "qweasd", "qwaszx" and on it goes. A few of my passwords in the old age were exactly these. I've even seen this method used in at least one really big company where I worked. I know many of you might still have some of these passwords, and you should be ashamed of yourselves. And you are! I know!

  • The bi-lingual way (A.K.A., The Dirty Shlomo): whoever knows two (or more) languages can always count on a nice way of creating passwords. Take a word you know, and type it in whatever language you know but keep the keyboard layout on English. To the average bear it's plain English... OR IS IT? Usually this results in people using dirty words to create the password. If the user for whom you create the password is smart enough (in my case they never were), you might catch some heat. Otherwise, it's a pretty good way to break monotony. I'll admit I've done my share of this sinful act.

  • The Perl way: the ol' story about how Larry invented Perl - smash your head on the keyboard and you got either a password or a completely-functional Perl program.. or both! My boss still just mashes his hands on the keyboard to create "ultra-secure" passwords. Apparently it works pretty good for him.

  • The 1337 p455: using the stupid l33t sp34k with everyone got dull a long while ago but it still makes for good passwords. I use it often. Problem is you need to remember which letters you ruined ("ruined... or made better?") I don't know what about you, but I still call people to lunch using "f00dz".

  • The non-existent email account: a good friend of mine by the moniker of "quatrix" always suggested creating passwords as fake emails "mymail@2cows.COM" and viola! This is a 16 character-long password with symbols, numbers, lowercase and uppercase. Damn, that's awesome!

All of these methods have their benefits: typing speed, thinking-of-them speed, easy of use, etc. What I always wanted (scratch that, needed) was the ability to mix these features. So, I wrote a small little script called "genpass".

It was the first thing I uploaded to CPAN (which I'll admit to) and it made me very proud. It can work with lowercase, uppercase, digits, special characters and even blacklists a bunch of characters that all look alike so don't create a password that is hard to read! Unfortunately I missed a few corners like from the moment I allowed a home-folder-based configuration file, it wouldn't run without one - and other nonsense.

After I got much better at Perl (or so, I hope), I sat and converted most of the code to OO using Moose and uploaded App::Genpass. Now, I still had one issue missing... the actual script! Till this day I hadn't created it. I still use App::Genpass all the time, but usually using a one liner. I also always wanted to write a GUI interface for it using GTK2 but never got around to it.

One thing I will promise though (and hope to accomplish) is taking tomorrow morning to write an actual CLI interface to App::Genpass so you too could enjoy something which everyone already seen everywhere! Hooray!


apg(1) + hammering the keyboard is how I generate passwords for various web services. Then I just count on my browser remembering it for a few months, and it being easy to send password reset E-Mails.

Luckly a lot of things are now implementing OpenID authentication, or OAuth. So soon I'll have to do even less of that.

The best (because verifiable secure) way to get a password is diceware. It allows you to have high quality randomness with the ability to 'set' a number of bits as entropy. Besides this they are easy to remember.


OpenID is a nice idea, but I don't like that single point of failure stuff. There is an other concept very similar to OpenID, but in some situations it might be better:

Another cool way for coming up with passwords is to take a line from a song - e.g. "Raindrops keep falling on my head" and use the initial letter of each syllable (perhaps with a bit of L337) as your password e.g. "rdkf0mh".

You can choose a song that you feel is relevant to the site and, best of all, you can quietly sing the song in your head as you type the password.

Leave a comment

About Sawyer X

user-pic Gots to do the bloggingz