Scott Penrose


Scott is an expert software developer with over 30 years experience, specialising in education, automation and remote data.

Passwords are important. But how secure is too secure.

This entry is bound to increase my flames, as I am about to throw away lots of security and go for a very simple password.

CPAN is good, and I love Data::Password , Data::Password::Check and Data::Password::BasicCheck . So I used BasicCheck in my project.

Of the 10 people I tried using the system, all developers and technical people, only one managed to get a valid password to BasicCheck in under 3 attempts. One attempt went to 10.

Now these numbers are completely unfair, because I did not publish the requirements on the page.

However the conclusion was that no one would have stayed to use the system produced. The reaslity is, that even my bank and Paypal accepted lesser passwords than the least secure password checker on CPAN.

When to use high security

The higher security modules like Data::Password::Check should be used for high security systems, like admin access to systems, or where money is involved like Banks.

So yes, Banks and Paypal passwords are too simple. At least in banks you are less likely to guess a login id. But in paypal that is advertised (it is the email you pay to).

What about BasicCheck

I like the Basic Check module Data::Password::Check . It is good for things like email accounts.


You are trying to get the Gen-Y to join up to your social networking site. Or you are trying to get someone to login to a forum post. This is where all of the above test are just too complicated. Enter Data::Password::SimpleCheck - stealing the name from the others.

Extra Checks

I recommend the following, for comparing against the user.

  • Lower case email & password are not substrings of each other
  • XXX Check userinfo in password check modules...