Different Ways To Generate A Strong Password In Linux

12 Responses

  1. 1985a says:

    another one

    openssl passwd -1 -salt xyz mypasswordhere

  2. Mar says:

    thanks for your article.

    In the first example, the command should be “openssl rand -base64 14”.
    Since the syntax for openssl rand is “openssl rand [flags] num”.

  3. sk says:

    Thanks for pointing it out. I updated the guide with more methods now.

  4. ldgregory says:

    If you want to generate xkcd style passwords without having to install anything, here’s a one liner I wrote a while back. -n 5 gives you five words, -n 4 would give you 4 words. The tr’s are to remove punctuation (like apostrophes), convert lower to upper case and replace spaces with dashes.

    shuf -n 5 /usr/share/dict/words | tr -d ‘[:punct:]’ | tr ‘[:lower:]’ ‘[:upper:]’ | tr ‘\n’ ‘-‘ | head -c-1; echo

  5. David says:

    I currently used diceware. It can be installed on most Linux distributions.

  6. Jay Sanders says:

    No need for that. Just think of a sentence memorable to you – for example: “This article proposes mechanisms that are not necessary, and which lead to passwords you can’t really remember.” Select the first letter in each word: “Tapmtann,awltpycrr.” You can use a shorter sentence, selecting instead the first two letters in each word, when they have more than just one letter: “Ashse,bunese.” As long as you don’t use a published sentence, the passwords generated by this approach can be as strong as you want.

  7. Michael H. Warfield says:

    Nice article but I’ll pick a few nits, being a security professional…

    Any passwords less that 12 characters are horribly insecure, so take out all the above that generate weak passwords. Even the 12 character minimum does not provide sufficient entropy and is antiquated. Any generator generating monkey on a keyboard strings is immediately suspect and should not be used.

    The xkcd example is the only good one I saw here. I’ve added that to my systems [THX!!!]. Xkcd had it exactly right. But it’s only a start. Add mixed case, numbers, punctuation, and some deliberate mispeelings, and you’ve got something there. But it’s a great start and the only one that I liked here. The rest of them seem to be so last century.

    The shuf example in the comments was good, I hadn’t thought about using that with /usr/share/dict/words and I only used the IETF OPIE lexicon of 2048 words in a home grown effort over a decade ago (that how old some of this stuff is). But the shuf example is overburdened with excessive “tr” dross. You want punctuation and you want mixed case. Why would you want to weaken your passwords? I have a full rich mix of uppercase, lowercase, numbers, and punctuations in all my passwords and I use a generator like my own or the xkcd example as a starting point to then “enrich them” with additional camel case and numbers (1337 sp33k) and punctuation and mispeeling (sic).

    By far, the largest threat to passwords is PASSWORD REUSE. This is fine if this is your only password to your only system and you never register with web sites. I have over 10,000 passwords (I am NOT exaggerating here) in my KeyPassXC database. KeyPass / KeyPassX / KeyPassXC / KeyPassDroid all support an encryption seed file as well as a password. Make that password long and tough. Put that password into a hardware token like YubKey (2 slots) or OnlyKey (24 slots in 2 profiles with a self destruct PIN). Only unlock your password database with your hardware token. Then make every password different and store it in your password safe. Then, if someone cracks your system, they don’t have your key. If someone cracks a web site with your password, it won’t work anywhere else. Only think I wish the KeyPass / KeyPassX / KeyPassXC / KeyPassDroid (and others) would add would be an xkcd generator to their password generators. Even then, they fill in a suggested password that you can (and should) modify yourself to enrich the complexity. If you use a password manager, most have a decent generator built-in.

    I found the last recommendation in this article to “memorize the password and delete it from your system. It is much better just in case your system is compromised” to be totally inappropriate anything but the most trivial of circumstances as it naturally inclines you to use password reuse to cut down on the number of passwords you have to remember and thus compromising them all.

    I personally use a OnlyKey for my login to my systems and for unlocking my KeyPassXC database and unlocking my FireFox Secure Service Container (SSC).

  8. Michael H. Warfield says:

    You can install xkcdpass on Fedora and other RPM derivatives using this (obviously you need pip but that’s in the repos):

    pip install xkcdpass

  9. Michael H. Warfield says:

    Correcting a misspeeling (sic) in my previous comment… The key safe application is KeePass, KeePassX. KeePassXC or KeeyPassDroid – “kee, not key”. My bad. Linux, you would generally use KeePassXC (the modern fork of KeePassX) and those are OpenSource impliementations of KeePass. KeePassDriod is the Android version.

  10. Inka says:

    A variation on one of the supplied ways:

    $ < /dev/urandom tr -dc a-zA-Z0-9 | head –bytes=16 | sed 'a\'

  11. Jim says:

    I have no trouble generating strong passwords, I do have trouble remembering them!

  12. Me says:

    tr -dc ‘[:graph:]’ < /dev/random | head -c 16

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.