🔒 A "Automated Password Generator"-clone written in Go
Find a file
2021-09-19 18:20:16 +02:00
.github Update go.yml 2021-04-17 11:09:04 +02:00
.idea v0.3.3: Separated HIBP code into its own module 2021-09-19 18:20:16 +02:00
buildfiles Updated build files for Arch and OpenBSD 2021-09-19 17:55:00 +02:00
chars Major refactor so that cmd and lib are separated 2021-09-19 17:47:50 +02:00
config Major refactor so that cmd and lib are separated 2021-09-19 17:47:50 +02:00
random Major refactor so that cmd and lib are separated 2021-09-19 17:47:50 +02:00
spelling Major refactor so that cmd and lib are separated 2021-09-19 17:47:50 +02:00
.gitignore Removed .idea from .gitignore 2021-03-27 17:11:59 +01:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2021-04-03 15:59:54 +02:00
go.mod v0.3.3: Separated HIBP code into its own module 2021-09-19 18:20:16 +02:00
go.sum v0.3.3: Separated HIBP code into its own module 2021-09-19 18:20:16 +02:00
LICENSE Initial commit 2021-03-18 23:13:10 +01:00
README.md Updated README.md 2021-04-29 14:04:27 +02:00
SECURITY.md Create SECURITY.md 2021-05-01 14:52:05 +02:00

A "Automated Password Generator"-clone

Go workflow CodeQL workflow

apg-go is a simple APG-like password generator written in Go. It tries to replicate the functionality of the "Automated Password Generator", which hasn't been maintained since 2003. Since more and more Unix distributions are abondoning the tool, I was looking for an alternative. FreeBSD for example recommends "security/makepasswd", which is written in Perl but requires a lot of dependency packages and doesn't offer the feature-set/flexibility of APG.

Since FIPS-181 (pronouncable passwords) has been withdrawn in 2015, I didn't see any use in replicating that feature. Therfore apg-go does not support pronouncable passwords.

Installation

Ports/Packages

FreeBSD

apg-go can be found as /security/apg in the FreeBSD ports tree.

Arch Linux

Find apg-go in Arch Linux AUR.
Alternatively use the PKGBUILD file in this git repository

Binary releases

Linux/BSD/MacOS

  • Download release
    $ curl -LO https://github.com/wneessen/apg-go/releases/download/v<version>/apg-v<version>-<os>-<architecture>.tar.gz
    $ curl -LO https://github.com/wneessen/apg-go/releases/download/v<version>/apg-v<version>-<os>-<architecture>.tar.gz.sha256
    
  • Verify the checksum
    $ sha256 apg-v<version>-<os>-<architecture>.tar.gz 
    $ cat apg-v<version>-<os>-<architecture>.tar.gz.sha256
    
    Make sure the checksum of the downloaded file and the checksum in the .sha256 match
  • Extract archive
    $ tar xzf apg-v<version>-<os>-<architecture>.tar.gz
    
  • Execute
    $ ./apg
    

Windows

  • Download release
    PS> Invoke-RestMethod -Uri https://github.com/wneessen/apg-go/releases/download/v<version>/apg-v<version>-windows-<architecture>.zip -OutFile apg-v<version>-windows-<architecure>.zip
    PS> Invoke-RestMethod -Uri https://github.com/wneessen/apg-go/releases/download/v<version>/apg-v<version>-windows-<architecture>.zip.sha256 -OutFile apg-v<version>-windows-<architecure>.zip.sha256
    
  • Verify the checksum
    PS> Get-FileHash apg-v<version>-windows-<architecture>.zip | Format-List
    PS> type apg-v<version>-windows-<architecture>.zip.sha256
    
    Make sure the checksum of the downloaded file and the checksum in the .sha256 match
  • Extract archive
    PS> Expand-Archive -LiteralPath apg-v<version>-windows-<architecture>
    
  • Execute
    PS> cd apg-v<version>-windows-<architecture> 
    PS> apg.exe
    

Sources

  • Download sources
    $ curl -LO https://github.com/wneessen/apg-go/archive/refs/tags/v<version>.tar.gz
    
  • Extract source
    $ tar xzf v<version>.tar.gz
    
  • Build binary
    $ cd apg-go-<version>
    $ go build -o apg ./...
    
  • Execute the brand new binary
    $ ./apg
    

Systemwide installation

It is recommed to install apg in a directory of your $PATH environment. To do so run: (In this example we use /usr/local/bin as system-wide binary path. YMMV)

$ sudo cp apg /usr/local/bin/apg

Usage examples

Default behaviour

By default apg-go will generate 6 passwords, with a minimum length of 12 characters and a maxiumum length of 20 characters. The generated password will use a character set constructed from lower case, upper case and numeric characters.

$ ./apg-go
R8rCC8bw5NvJmTUK2g
cHB9qogTbfdzFgnH
hoHfpWAHHSNa4Q
QyjscIsZkQGh
904YqsU5SnoqLo2w
utdFKXdeiXFzM

Modifying the character sets

Old style

Let's assume you want to generate a single password, constructed out of upper case, numeric and special characters. Since lower case is part of the default set, you would need to disable them by setting the -L parameter. In addition you would set the -S parameter to enable special characters. Finally the parameter -n 1 is needed to keep apg-go from generating more than one password:

$ ./apg-go -n 1 -L -S
XY7>}H@5U40&_A1*9I$

New/modern style

Since the old style switches can be kind of confusing, it is recommended to use the "new style" parameters instead. The new style is all combined in the -M parameter. Using the upper case version of a parameter argument enables a feature, while the lower case version disabled it. The previous example could be represented like this in new style:

$ ./apg-go -n 1 -M lUSN
$</K?*|M)%8\U$5JA5~

Human readability

Generated passwords can sometimes be a bit hard to read for humans, especially when ambiguous characters are part of the password. Some characters in the ASCII character set look similar to each other. In example it can be hard to differentiate an upper case I from a lower case l. Same applies to the number zero (0) and the upper case O. To not run into issues with human readability, you can set the -H parameter to toggle on the "human readable" feature. When the option is set, apg-go will avoid using any of the typical ambiguous characters in the generated passwords.

$ ./apg-go -n 1 -M LUSN -H
YpranThY3b6b5%\6ARx

Character exclusion

Let's assume, that for whatever reason, your generated password can never include a colon (:) sign. For this specific case, you can use the -E parameter to specify a list of characters that are to be excluded from the password generation character set:

$ ./apg-go -n 1 -M lUSN -H -E :
~B2\%E_|\VV|/5C7EF=

Complex passwords

If you want to generate complex passwords, there is a shortcut for this as well. By setting the -C parameter, apg-go will automatically default to the most secure settings. The complex parameter basically implies that the password will use all available characters (lower case, upper case, numeric and special) and will make sure that human readability is disabled.

$ ./apg-go -n 1 -C
{q6cvz9le5_fo"X7

Password length

By default, apg-go will generate a password with a random length between 12 and 20 characters. If you want to be more specific, you can use the -m and -x parameters to override the defaults. Let's assume you want a single complex password with a length of exactly 32 characters, you can do so by running:

$ ./apg-go -n 1 -C -m 32 -x 32
5lc&HBvx=!EUY*;'/t&>B|~sudhtyDBu

Password spelling

If you need to read out a password, it can be helpful to know the corresponding word for that character in the phonetic alphabet. By setting the -l parameter, agp-go will provide you with the phonetic spelling (english language) of your newly created password:

$ ./apg-go -n 1 -M LUSN -H -E : -l
fUTDKeFsU+zn3r= (foxtrot/Uniform/Tango/Delta/Kilo/echo/Foxtrot/sierra/Uniform/PLUS_SIGN/zulu/november/THREE/romeo/EQUAL_SIGN)

Have I Been Pwned

Even though, the passwords that apg-go generated for you, are secure, there is a minimal chance, that someone on the planet used exactly the same password before and that this person was part of an internet leak or hack, which exposed the password to the public. Such passwords are not considered secure anymore as they usually land on public available password lists, that are used by crackers.

To be on the safe side, you can use the -p parameter, to enable a HIBP check. When the feature is enabled, apg-go will check the HIBP database at https://haveibeenpwned.com if that password has been leaked before and provide you with a warning if that is the case.

Please be aware, that this is a live check against the HIBP API, which not only requires internet connectivity, but also might take between 500ms to 1s to complete. When you generating a bigger list of password -n 100, the process could take much longer than without the -p feature enabled.

CLI parameters

apg-go replicates some of the parameters of the original APG. Some parameters are different though:

  • -m <length>: The minimum length of the password to be generated (Default: 12)
  • -x <length>: The maximum length of the password to be generated (Default: 20)
  • -n <number of passwords>: The amount of passwords to be generated (Default: 6)
  • -E <list of characters>: Do not use the specified characters in generated passwords
  • -M <[LUNSHClunshc]>: New style password parameters (upper-case enables, lower-case disables)
  • -L: Use lower-case characters in passwords (Default: on)
  • -U: Use upper-case characters in passwords (Default: on)
  • -N: Use numeric characters in passwords (Default: on)
  • -S: Use special characters in passwords (Default: off)
  • -H: Avoid ambiguous characters in passwords (i. e.: 1, l, I, o, O, 0) (Default: off)
  • -C: Generate complex passwords (implies -L -U -N -S and disables -H) (Default: off)
  • -l: Spell generated passwords (Default: off)
  • -p: Check the HIBP database if the generated passwords was found in a leak before (Default: off) // this feature requires internet connectivity
  • -h: Show a CLI help text
  • -v: Show the version number

Contributors

Thanks to the following people for contributing to the apg-go codebase: