Data::Passphrase::Apache - HTTP service for checking passphrase strength


In httpd.conf:

    <Location />
        Require valid-user
        PerlHandler +Data::Passphrase::Apache
        SetHandler  perl-script
        # turn on debugging (default: 0)
        PerlSetVar PassphraseDebug 1
        # use a remote service for form_handler (default: localhost)
        PerlSetVar PassphraseLocation \
        # set location of rules file (default: /etc/passphrase_rules)
        PerlSetVar PassphraseRules \

HTTP client:

    use constant LOCATION => '';
    use LWP::UserAgent;
    my $username = $ENV{LOGNAME};
    for (;;) {
        print 'Passphrase (clear): ';
        chomp (my $passphrase = <STDIN>);

        my $user_agent = LWP::UserAgent->new();
        my $response   = $user_agent->post(LOCATION, {
            passphrase => $passphrase,
            username   => $username,
        $code          = $response->code   ();
        $message       = $response->message();
        $score         = $response->score  ();
        print "$code $message, score: $score\%\n";

SOAP client:

    use SOAP::Lite +autodispatch =>
        proxy    => '',
        uri      => '';
    my $username = $ENV{LOGNAME};
    for (;;) {
        print 'Passphrase (clear): ';
        chomp (my $passphrase = <STDIN>);
        my $response = SOAP::Lite
                username   => $username,
                passphrase => $passphrase,
            or die $!;
        print "$result->{code} $result->{message}, score: $result->{score}\%\n";


This mod_perl module provides HTTP and SOAP interfaces to Data::Passphrase. A trivial form handler is also included, mostly as an example. By default, the various interfaces are accessible by the following URIs:

  Interface     URI
  ---------     ---
  form example

HTTP Interface

An application or user may submit the passphrase to be checked via the query parameter passphrase. The module also supports a username parameter, which defaults to $r->user(). Sites may wish to configure rules to check passphrases based on user-related data, so the username parameter may be useful for testing.

The response consists of an HTTP response code and status message in the header, and a JSON representation of the code, message, and score in the body. If a passphrase is deemed to weak via a certain rule, the error code associated with that rule is returned. Usually, these error codes are in the 4xx range. If a passphrase passes all rules, 200 is returned.

This module supports GET and POST request methods, but POST is usually appropriate to avoid passphrases being recorded in server logs. RESTful URLs are not used for the same reason.

SOAP Interface

SOAP semantics are provided by SOAP::Lite with a corresponding WSDL provided by Pod::WSDL. This interface exposes only the validate_passphrase() procedural method; there is no object-oriented RPC functionality.

Form Example

The form handler is just a trivial example for use in testing or as a starting point.


Andrew J. Korty <>


Data::Passphrase(3), Pod::WSDL(3), SOAP::Lite(3)