The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Oct
3
Introducing www.xkpasswd.net & xkpasswd.pm
Filed Under Computers & Tech, Software Development, My Projects on October 3, 2011 at 12:58 am
Steve Gibson really set the cat among the pigeons with his Password Haystacks site a few months ago, and XKCD’s ‘Correct Horse Battery Staple’ web comic brought that message home to many many nerds and geeks. The basic idea is that you’re better off making your passwords long and memorable than short and complex. In the simplified XKCD example the password is simply made up of 4 common words, but Steve Gibson suggests you should add some padding around those words to make the passwords much harder to guess.
This is a lovely theory, but I’m not imaginative, and I need to invent a lot of passwords every week, so I wrote a Perl module to do it for me, and called it xkpasswd.pm. The first thing I’m announcing today is that I’ve made this library available for free for both personal and commercial use (under the FreeBSD license), you can download it from www.bartb.ie/xkpasswd.
It’s great to have a library for nerds to play with, but what about everyone else? Well, that’s where my second announcement comes in, I’ve also created www.xkpasswd.net, a simple web front-end to the xkpasswd.pm module.
In case anyone is wondering where the name comes from? It’s a mashing together of XKCD, and passwd, the Linux/Unix command for changing passwords. Because I used to use Solaris, and hence the yppasswd command, I liked the idea of keeping the prefix to just two letters, hence xkpasswd, rather than xkcdpasswd.
For any programmers interested in using the Perl module, it has no prerequisites other than base Perl, and all you need to get started is the module and a dictionary file to point it at. The download package contains the module, a sample dictionary, and a sample Perl script which invokes the module.
In the future I also plan to release a JavaScript-only version if the library so that others can embed xkpasswd-based password generators in their own sites without needing Perl CGI support on their servers. I’m also experimenting with creating an OS X Service to allow people to easily generate xkpasswd passwords from anywhere within OS X, and perhaps even a native OS X Application. So stay tuned!
Thanks for doing this, Bart.
This is great. I’d been wanting to do something very much like this.
If you will forgive the self promotion, I wrote about this comic a while back.
http://blog.agilebits.com/2011/08/better-master-passwords-the-geek-edition/
Cheers,
-j
Thanks Jeffrey – good post of yours too!
It’s precisely because of my worries about the entropy of the extreme simplification of the XKCD example that I added the separators, padding, and numbers, as well as the options for case transformations and 133+ substitutions.
Bart.
Bart, this is fantastic! Would you be averse to me using your algorithm to make an iOS based password generator? (obviously I wouldn’t be using your code verbatim, unless there is some sort of Perl interpreter for iOS that I don’t know about 😉 ) I think this would be rather handy to have, plus it would help me continue to hone my skills as an iOS programmer. If yes, would you also be averse to making money off said app, either by charging a very small fee (like 99cents) or by putting in iAds (but not both)?
The file is apparently no longer located at http://www.bartb.ie/xkpasswd although there are several links to it, including one in this article. Could you please post the file back to http://www.bartb.ie/xkpasswd or create a redirect there? I was able to download it from http://www.bartbusschots.ie/downloads/xkpasswd-v0.1.zip and thanks for that!
Bart,
FYI, I put up a copy of the latest version of your code that I could find in my github account (see URL above), and made a few minor changes. If you like, I’m happy to continue to collaborate with you on this subject — either on github or off.
Either way, I figured I should let you know that I had put a copy of your code up and that I had made a few minor changes.
Thanks for all your hard work!
[…] hard to believe, but it’s been nearly three years since I released my first attempt at a Perl library for generating secure memorable passwords. The original spark of inspiration came when Steve Gibson released and talked about his Password […]