xkpasswd - a secure memorable password generator

Steve Gibson really set the cat among the pigeons with his Password Haystacks site a few months ago, and XKCD’s ‘Correct Horse Battery Staple’ web comic brought that message home to many many nerds and geeks. The basic idea is that you’re better off making your passwords long and memorable than short and complex. In the simplified XKCD example the password is simply made up of 4 common words, but Steve Gibson suggests you should add some padding around those words to make the passwords much harder to guess.

This is a lovely theory, but I’m not imaginative, and I need to invent a lot of passwords every week, so I wrote a Perl module to do it for me, and called it xkpasswd.pm. The first thing I’m announcing today is that I’ve made this library available for free for both personal and commercial use (under the FreeBSD license), you can download it from www.bartb.ie/xkpasswd.


It’s great to have a library for nerds to play with, but what about everyone else? Well, that’s where my second announcement comes in, I’ve also created www.xkpasswd.net, a simple web front-end to the xkpasswd.pm module.


In case anyone is wondering where the name comes from? It’s a mashing together of XKCD, and passwd, the Linux/Unix command for changing passwords. Because I used to use Solaris, and hence the yppasswd command, I liked the idea of keeping the prefix to just two letters, hence xkpasswd, rather than xkcdpasswd.

For any programmers interested in using the Perl module, it has no prerequisites other than base Perl, and all you need to get started is the module and a dictionary file to point it at. The download package contains the module, a sample dictionary, and a sample Perl script which invokes the module.

In the future I also plan to release a JavaScript-only version if the library so that others can embed xkpasswd-based password generators in their own sites without needing Perl CGI support on their servers. I’m also experimenting with creating an OS X Service to allow people to easily generate xkpasswd passwords from anywhere within OS X, and perhaps even a native OS X Application. So stay tuned!

XKCD - Password Strength