This tool implements a simple random password generation algorithm, and can
optionally generate hashes suitable for including in /etc/shadow or
.htpasswd files.
It requires just core Perl modules for its basic functionality - generating
passwords and hashing them with system crypt(). {SSHA} hash format
requires Digest::SHA and MIME::Base64 modules which are optional and
not loaded unless required.
The tool can be installed as a usual Perl module with:
perl Makefile.PL make sudo make install
It will install mypwgen executable under /usr/local/bin/, plus a manual
page for it generated by perldoc. You may consult ExtUtils::MakeMaker
for other options.
Alternatively, you can just drop mypwgen anywhere you like and make it
executable.
Consult man mypwgen or perldoc mypwgen for usage information.
A special "friendly" mode ensures that the password has no more "special" punctuation characters than required. This makes the passwords easier to remember so the users won't resort to writing them down - which is a common attack point when the password policy is too strict.
The algorithm is quite simple:
- Choose a required number of characters from each character class at random.
- Pad with randomly-chosen characters from all the classes.
- Shuffle the characters to obtain the password.
When it comes to cryptography or passwords the rand() function is not
considered a good source of random numbers. So, to follow a common trend here,
mypwgen uses /dev/urandom (or, optionally, /dev/random). As both
devices produce random octets modulo bias compensation is performed.
The characters are shuffled using Fisher-Yates algorithm.
There is no comprehensive analysis performed of how strong the passwords generated by this tool really are. Considering password length rarely exceed 12 characters the outcome can be considered sufficiently unpredictable for a few dozen personal passwords generated over time. However hundreds of passwords for all the organization's staff may be another case. No warranty here, use at your own risk.
The defaults are chosen based on my personal preference - 8-character alphanumeric password with occasional punctuation mark is quite strong, plus I personally have no trouble remembering half a dozen of them which is the whole point.
Relying on password strength only is not a good security practice, remember to rotate the passwords on a regular basis at all times.
Myths about /dev/urandom: https://www.2uo.de/myths-about-urandom/