If it's for crypt(3) (like a basicauth password), characters past the 8th don't make any difference, for example. If it's for a human, it'd be nice to be somewhat pronouncable. If it's merely to confirm that an email address is the right one via a round-trip, it can be 64 hex characters instead.

So, tell us more about how this is to be used, and you'll get better answers.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Good question; sorry I didn't give more. This would just be a placeholder for a new website user account registration, or for a lost password reset, probably md5'd into a DB, no SSL or htpasswd in this case.

In that case, since a human would have to enter it, I'd stick with 6-to-10 alphanumerics only, but run it past cracklib to make sure it's not trivially brute-forceable, and also have some mechanism to ensure that it gets changed on first use.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Next time search also on CPAN :) If you search password on CPAN, you will get the following modules:

1. Crypt::GeneratePassword: generate secure random pronounceable passwords
2. Data::Password: Perl extension for assesing password quality

These modules will give what you need and let you follow merlyn's suggestions. For example:

#!/usr/bin/perl

use strict;
use warnings;
use Crypt::GeneratePassword;
use Data::Password qw(:all);

my $password = Crypt::GeneratePassword::word(8, 8);

$DICTIONARY = 4;
$GROUPS = 1;
$FOLLOWING_KEYBOARD = 1;

print "password $password ";
if (my $check = IsBadPassword($password)) {
  print "not good, because $check\n";
} else {
  print "is good\n";
}
[download]

Ciao, Valerio

I took the time to do those things b/c that's what good citizens do.

The application was done when I posted the question. I am always interested in other approaches b/c I love to learn. And I'm more than willing to change an approach if I get back a good reason.

Since you seem interested in the "benchmark" of my post: algorithm: 40 seconds; super search: 2 minutes; post: 1 minute; follow up... well, I admit, I could have blown this one off safely and saved myself some time; I type 88wpm though, so not too bad after all.

Reading through the PODs of the 1,416 results returned by a typcial CPAN search (and this one in particular) instead of just asking the good monks here... why? Are you against increased content on the site?

Nope, just pointing out that when you say "resorting to using a module" you sound like you have something against taking advantage of tested and proven work to advance your own, and would prefer to reinvent the wheel when faced with a choice.

Sorry if you took offense, as it seems you have. None was intended. Good analysis though, I love it when someone takes the time to show me with some solid statistics just how flippant I'm being. ;)

Jason W.

Your "benchmark" is missing the time it takes everyone else to read your post, and for those who care to respond to do so. Those are sometimes significant externalities, even if they are mostly invisible to you.

Increased content is only sometimes good. We increase the utility of this site when we limit how many duplicate discussions we have (hence super search), when people are encouraged to use other resources (like CPAN) pre-emptively, and when people are encouraged to work efficiently. This encourages a minimalistic approach. We also increase the utility of the site when the discussions are sufficiently interesting that more good contributers are drawn into the mix. That suggests a more verbose approach.

How to balance those out is a matter of sometimes difficult judgement calls. Even after the fact it can be a matter of debate as to whether someone succeeded. (FWIW, I thought your initial post was just fine and just wanted to comment on the idea of whether content per se was a good or bad thing...)