Fun with hsxkpasswd

It is all very well coming up with a nice new method of organizing my passwords but what should those passwords actually be? Randall Munroe addressed this in a well-known xkcd comic and this approach has been extended by Bart Buschotts, who coded it and made it available here.

It is a lot of fun playing with this password generator (how many words? Padding, yes or no? Separators, trailing and leading digits? What does that do to my entropy?) but it does not feel practical when I want to explore lots of options and then generate lots of passwords. Fortunately Buschotts has provided a Perl module, which you can download and tinker with to your heart's content.

Here are the steps that I took.

1. Download and install hsxkpasswd
It does not look as if anyone has built a homebrew package yet, so you need to pick the module up at the author's website (here) and follow the install instructions. These involve a sudo to cpan, which I am not wildly keen about. I just don't like having to revert to sudo when I'm installing packages. But I am not going to expend the effort to work out how to get round this so I guess I should just stop grumbling.

[Update: Bart has posted details of how to install without sudo. See comments below.]

2. Configure hsxkpasswd
The documentation is good, with plenty of examples that you can modify. Here is my .hsxkpasswdrc file that creates a preset RH that I can call from the command line.

$ cat ~/.hsxkpasswdrc
  "custom_presets" : {
    "RH" : {
      "description" : "Robert default",
      "config" : {
        "word_length_min" : 4,
        "word_length_max" : 8,
        "num_words" : 3,
        "separator_character" : " ",
        "padding_digits_before" : 4,
        "padding_digits_after" : 0,
        "padding_type" : "NONE",
        "padding_character" : "RANDOM",
        "padding_characters_before" : 0,
        "padding_characters_after" : 0,
        "case_transform" : "RANDOM",
        "allow_accents" : 0

Simple, no?

3. Find a decent dictionary
You don't need to play with the password generator too long before you start noticing repeats (Mexico again? Really?). When you run the module with the --verbose option you see why: it is pulling from a dictionary that only contains about a thousand words. That is more than enough to get good entropies but it also makes for some pretty dull (and hence unmemorable) passwords.

How about a 10,000 word dictionary? Here is one that is extracted from Google's Trillion Word Corpus.

Not enough? (Answer: no.) That same page contains a link to Peter Novig's 1/3 million most frequent English words. This may be of limited use for text analysis (it is not cleaned and is full of proper nouns, contractions, etc.) but for my purpose is perfect. Just use your favorite text manipulation tool to jettison the word counts and chop it down to a single column of words (I used csvkit), use head to shorten the file to the desired word count (I thought 30,000 was a good number) and you have a dictionary that can replace the default.

4. Generate passwords
The -p option allows me to specify my preset, -d allows me to override the default dictionary and --verbose gives me the entropy.

$ hsxkpasswd -p RH -d NOVIGwords.30000.txt 10 --verbose

Source: Crypt::HSXKPasswd::Dictionary::Basic (loaded from: the file(s) NOVIGwords.30000.txt)
# words: 26821
# words of valid length: 19058 (71%)
Contains Accented Characters: NO
Password length: between 19 & 31
Permutations (brute-force): between 3.77x10^37 & 2.03x10^61 (average 2.77x10^49)
Permutations (given dictionary & config): 5.53x10^17
Entropy (Brute-Force): between 124bits and 203bits (average 164bits)
Entropy (given dictionary & config): 58bits

19k words to choose from? Nice. And that entropy is a good size too (the module flags a warning if the entropy is lower than ~48 or so). So what do the passwords look like?

0517 bolster tyco peugeot
5552 OTAGO external cons
4813 received genetic MARA
5401 dieting prevail ARTERIAL
8730 DAZZLING sixteen GAMES
6815 teaches WEAKEN GUTS
9579 ABOLISH buddhism neff
8707 mortar BUCKET RUINS
9703 solitary LIBRA TRUTHFUL

OK, I like them. And who is ever going to guess a password that contains the names of a dodgy French car?

3 thoughts on “Fun with hsxkpasswd

  1. Hi,

    Thanks for writing about HSXKPasswd – I'm glad you're finding the tool useful. I have to say I really like your preset – easy to read, easy to enter on a smartphone keyboard, and they still have lots of nice juicy entropy 🙂

    I hear you about your concerns about your reluctance to use sudo – I've not documented it yet, but I have tested, and it does work, to install the module via perlbrew – the Perl way of installing modules into your home dir instead of system-wide.

    When I get some time over the next few days I'll re-test and document installation of the module with perlbrew.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.