PWGen/README.md

# PWGen

A password generator written in Golang that offers highly-customizable generated password schemes.

## What it Does Do

## What it Doesn't Do
PWGen does not, and will not, generate "Correct Horse Battery Stapler" passphrases (as demonstrated in [XKCD #936](https://xkcd.com/936/)).

The author of this library believes that strong, trustworthy password managers (such as [HashiCorp's](https://www.hashicorp.com/) [Vault](https://www.vaultproject.io/)) should be used to store passwords that are completely randomly (or, more likely, pseudo-randomly to be pedantic) generated with a large character space and length rather than using a combination of real words. Using real words is still susceptible to a social engineering/OSINT attack and/or dictionary attack (albeit certainly better than just using a single word, regardless of length).

The author is not unique in this belief, either. For example:

* [Rob Black](https://fractionalciso.com/correct-horse-battery-staple-review/) offers pragmatic criticism
* ["@procrastilearner" on Steemit](https://steemit.com/steemstem/@procrastilearner/correct-horse-battery-staple-is-wrong) offers mathematical/algorithmic criticism
* [Ken Munro](https://www.pentestpartners.com/security-blog/correcthorsebatterystaple-isnt-a-good-password-heres-why/) speaks a little about hashcat, which offers far more advanced cracking rules than Randall Munroe (author of XKCD) may have had in mind at the time of creating that comic.
* Even the venerable and well-respected Bruce Schneier [has spoken on this scheme](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html) -- back in 2014.
* (and so on.)

If you decide that you still need this functionality, however, I recommend using something like [the Babble library](https://github.com/tjarratt/babble).

### Other Tips

#### Password Hints

Many services offer "password hints". These are useless at best and provide a vulnerability at worst.

If you are prompted for these and they are required (as they usually are), generate and use strong unique passwords for each question and store those "answers" in your password manager as well. This slightly weakens your account's access security (as you now have 3 -- or however many hint prompts are required -- that can be guessed instead of just 1) potentially, depending on how they implement the hint system, but there is absolutely no requirement that they be real answers. Doing so would lead to a more easily socially-engineered access of your account.

#### 2FA/MFA

If the service offers it, enable it. No arguments or excuses. It is the single most effective action you can take to protect your account's access and is well worth the slightly added complication of an additional auth method.
Initial commit 2022-03-01 05:01:57 -05:00			`# PWGen`

stubbed out 2022-03-02 06:24:55 -05:00			`A password generator written in Golang that offers highly-customizable generated password schemes.`

			`## What it Does Do`

			`## What it Doesn't Do`
			`PWGen does not, and will not, generate "Correct Horse Battery Stapler" passphrases (as demonstrated in [XKCD #936](https://xkcd.com/936/)).`

			The author of this library believes that strong, trustworthy password managers (such as [HashiCorp's](https://www.hashicorp.com/) [Vault](https://www.vaultproject.io/)) should be used to store passwords that are completely randomly (or, more likely, pseudo-randomly to be pedantic) generated with a large character space and length rather than using a combination of real words. Using real words is still susceptible to a social engineering/OSINT attack and/or dictionary attack (albeit certainly better than just using a single word, regardless of length).

			`The author is not unique in this belief, either. For example:`

			`* [Rob Black](https://fractionalciso.com/correct-horse-battery-staple-review/) offers pragmatic criticism`
			`* ["@procrastilearner" on Steemit](https://steemit.com/steemstem/@procrastilearner/correct-horse-battery-staple-is-wrong) offers mathematical/algorithmic criticism`
			`* [Ken Munro](https://www.pentestpartners.com/security-blog/correcthorsebatterystaple-isnt-a-good-password-heres-why/) speaks a little about hashcat, which offers far more advanced cracking rules than Randall Munroe (author of XKCD) may have had in mind at the time of creating that comic.`
			`* Even the venerable and well-respected Bruce Schneier [has spoken on this scheme](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html) -- back in 2014.`
			`* (and so on.)`

			`If you decide that you still need this functionality, however, I recommend using something like [the Babble library](https://github.com/tjarratt/babble).`

			`### Other Tips`

			`#### Password Hints`

			`Many services offer "password hints". These are useless at best and provide a vulnerability at worst.`

			If you are prompted for these and they are required (as they usually are), generate and use strong unique passwords for each question and store those "answers" in your password manager as well. This slightly weakens your account's access security (as you now have 3 -- or however many hint prompts are required -- that can be guessed instead of just 1) potentially, depending on how they implement the hint system, but there is absolutely no requirement that they be real answers. Doing so would lead to a more easily socially-engineered access of your account.

			`#### 2FA/MFA`

			`If the service offers it, enable it. No arguments or excuses. It is the single most effective action you can take to protect your account's access and is well worth the slightly added complication of an additional auth method.`