POW: apg, Automated Password GeneratorWed, Nov 21, 2007
This week’s program may seem like a bit of a cop out, but it really isn’t. I’ve regularly found myself in need of some quick passwords to hand out to users that are both semi-secure and easy to remember. With apg, this can become a reality.
First, install apg:
# yum install apg .. snip .. Install 1 Package(s) .. snip .. Total download size: 101 k Is this ok [y/N]: y .. snip .. Installed: apg.i386 0:2.3.0b-5.fc8 Complete!
apg does provide several switches which help to provide an easy way to distribute passwords. Recently, I generated random, yet pronounceable passwords for about 30 users of an application I was using. it was quite nice to let the users login and feel safe with my choices of passwords.
To start with apg is quite easy to generate a set of passwords:
$ apg NatnawmIx GhisImAv* Bahiwaihet adMuhevep Ombachat cier]bipt
These passwords are the default set from apg, providing six pronounceable, 8-10 digit, In my opinion, its better to lose a bit of security to make a password easy to remember, than to have a user have to write the password down, more or less defeating the purpose of the password in the first place.
Because of my opinion, (and no, I’m not a security expert by any means, just using common sense), its probably a good idea to have a look at some of the switches provided by apg:
-a : (default) will make the passwords semi-pronounceable, 1 on the other hand, will be pseudo-random -n : tell apg how many passwords to display -m/-x : the minimum/maximum length of the generated passwords
Here’s an example of these options in use:
$ apg -a 1 -n 2 -m 7 -x 10
apg has more to give us though. We can use some standard Linux password checking utilities to help us:
-r : checks the generated passwords against a particular dictionary file. /usr/share/dict/words, for example.
Adding this to our previous example (and removing the -a option) will verify the password doesn’t have any dictionary words:
$ apg -r /usr/share/dict/words -n 2 -m 7 -x 10
The last component is -M mode, which can request/require that a password has a particular set of attributes. Its a bit more complex than the others above. The mode consists of eight letters, S, N, C and L, in both upper and lower case.
S : must use special symbol set for every generated password. s : should use special symbol set for password generation. N : must use numeral symbol set for every generated password. n : should use numeral symbol set for password generation. C : must use capital symbol set for every generated password. c : should use capital symbol set for password generation. L : must use small letters symbol set for every generated password (always present if pronounceable password generation algorithm is used). l : should use small letters symbol set for password generation.
As you might be able to tell, the list above is almost directly from the man page for apg. This is on purpose as it is very well explained (and recommended to read each and every man page for any tool used). Many a good trick has come directly from the man pages.
Let’s see these options in use:
$ apg -n 2 -m 7 -x 10 -M SCnL Hej=Nio nefMit/
What is noted right away during several iterations of these modes is the fact that rarely, if ever, is a number included. It seems the lowercase modes are not strong suggestions except in the case of “lower case letters”. However, using the uppercase mode values works every time as expected.
apg is a simple, yet effective tool for generating passwords. My hope is that you decide to use more secure passwords in the future with tools like apg.