The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.


Data::Password::passwdqc - Check password strength and generate password using passwdqc


  use Data::Password::passwdqc;

  my $pwdqc = Data::Password::passwdqc->new;
  print 'OK' if $pwdqc->validate_password('arrive+greece7glove');

  my $is_valid = $pwdqc->validate_password('new password', '0ld+pas$w0rd');
  print 'Bad password: ' . $pwdqc->reason if not $is_valid;

  my $password = $pwdqc->generate_password;


Data::Password::passwdqc provides an object oriented Perl interface to Openwall Project's passwdqc. It allows you to check password strength and also lets you generate quality controllable random password.


min [Int0, Int1, Int2, Int3, Int4]

Defaults to [undef, 24, 11, 8, 7].

The minimum allowed password lengths for different kinds of passwords and passphrases. undef can be used to disallow passwords of a given kind regardless of their length. Each subsequent number is required to be no larger than the preceding one.

Int0 is used for passwords consisting of characters from one character class only. The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters, which could not be classified, but are assumed to be non-digits.

Int1 is used for passwords consisting of characters from two character classes that do not meet the requirements for a passphrase.

Int2 is used for passphrases. Note that besides meeting this length requirement, a passphrase must also consist of a sufficient number of words (see the passphrase_words option below).

Int3 and Int4 are used for passwords consisting of characters from three and four character classes, respectively.

When calculating the number of character classes, upper-case letters used as the first character and digits used as the last character of a password are not counted.

In addition to being sufficiently long, passwords are required to contain enough different characters for the character classes and the minimum length they have been checked against.

max Int

Defaults to 40.

The maximum allowed password length. This can be used to prevent users from setting passwords that may be too long for some system services.

The value 8 is treated specially: with max=8, passwords longer than 8 characters will not be rejected, but will be truncated to 8 characters for the strength checks and the user will be warned. This is to be used with the traditional DES-based password hashes, which truncate the password at 8 characters.

It is important that you do set max=8 if you are using the traditional hashes, or some weak passwords will pass the checks.

passphrase_words Int

Defaults to 3.

The number of words required for a passphrase, or 0 to disable the support for user-chosen passphrases.

match_length Int

Defaults to 4.

The length of common substring required to conclude that a password is at least partially based on information found in a character string, or 0 to disable the substring search. Note that the password will not be rejected once a weak substring is found; it will instead be subjected to the usual strength requirements with the weak substring partially discounted.

The substring search is case-insensitive and is able to detect and remove a common substring spelled backwards.

random_bits Int

Defaults to 47.

The size of randomly-generated passphrases in bits (24 to 85), or 0 to disable this feature.


  $is_valid = $pwdqc->validate_password('new password');
  $is_valid = $pwdqc->validate_password('new password', 'old password');
  $is_valid = $pwdqc->validate_password('new password', 'old password', 'username');
  $is_valid = $pwdqc->validate_password('new password', 'old password', 'username', 'real name');
  print $pwdqc->reason if not $is_valid;

Checks passphrase quality. Returns a true value on success. If the check fails, it returns a false value and sets reason.

  my $password = $pwdqc->generate_password;

Generates a random passphrase. Throws an exception if passphrase cannot be generated.


Sherwin Daganato <>

The copy of passwdqc bundled with this module was written by Solar Designer and Dmitry V. Levin.


dhardison: Dylan William Hardison <>

srezic: Slaven Rezic <>


This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.