4.1 KiB
PWGen
A password generator written in Golang that offers highly-customizable generated password schemes.
What it Does Do
PWGen generates cryptographically-sound (i.e. non-predictable) passwords:
- The character set (or "charset"; the full list of possible characters to use in a password) is predefined at invocation, but the selection of a character in that list is determined by a cryptographically-driven random function (
crypto/rand
rather than simplymath/rand
). - The order of characters in this generated password itself is then shuffled using
crypto/rand
as well. - This is done for every single password generated.
You can build (cd cmd/pwgen && go build
) and then run ./pwgen -h
for all invocation options available.
What it Doesn't Do
PWGen does not, and will not, generate "Correct Horse Battery Stapler" passphrases (as demonstrated in XKCD #936).
The author of this library believes that strong, trustworthy password managers (such as HashiCorp's Vault) should be used to store passwords that are completely randomly (or, more likely, pseudo-randomly to be pedantic) generated with a large character space and length rather than using a combination of real words. Using real words is still susceptible to a social engineering/OSINT attack and/or dictionary attack (albeit certainly better than just using a single word, regardless of length).
The author is not unique in this belief, either. For example:
- Rob Black offers pragmatic criticism
- "@procrastilearner" on Steemit offers mathematical/algorithmic criticism
- Ken Munro speaks a little about hashcat, which offers far more advanced cracking rules than Randall Munroe (author of XKCD) may have had in mind at the time of creating that comic.
- Even the venerable and well-respected Bruce Schneier has spoken on this scheme -- back in 2014.
- (and so on.)
If you decide that you still need this functionality, however, I recommend using something like the Babble library.
PWGen Tips
Quicker Generation
PWGen is already really fast considering all the cryptographically-sound generation it does.
If you need to generate a very large number of passwords, however, there are some things you can do to ensure they generate more quickly:
- Ensure that you stick to pre-defined charsets
- This means no explicit chars defined and no excluded (disabled) chars defined; the number of those chars can affect generation time
- Use a fixed length (e.g.
-l 16 -L 16
) - Do not use minimum charset requirements
Sticking to these tips changes the generation time for me on my hardware from around 1 minute to about 1 second for 1 million passwords generated on my hardware. YMMV, of course, but you will absolutely see an exponential difference in speed by sticking to the above constraints.
Other Tips
Password Hints
Many services offer "password hints". These are useless at best and provide a vulnerability at worst.
If you are prompted for these and they are required (as they usually are), generate and use strong unique passwords for each question and store those "answers" in your password manager as well. This slightly weakens your account's access security (as you now have 3 -- or however many hint prompts are required -- that can be guessed instead of just 1) potentially, depending on how they implement the hint system, but there is absolutely no requirement that they be real answers. Doing so would lead to a more easily socially-engineered access of your account.
2FA/MFA
If the service offers it, enable it. No arguments or excuses. It is the single most effective action you can take to protect your account's access and is well worth the slightly added complication of an additional auth method.