Linux: Generating Strong Passwords Using random/urandom

Occasionally, I find myself logged into a system that does not have a random password application installed and do not want to go to the trouble of downloading one.  Below is the easiest processes that I have found to generate a pretty random password from any Linux variant.

To begin, strait from the Linux man page:

When  read,  the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool.  /dev/random should be suitable for uses that need very high quality randomness  such  as  one-time  pad  or key generation.  When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.

A read from the /dev/urandom device will not block waiting for more entropy.  As a result, if there is not sufficient  entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver.  Knowledge of how to do this is not available in  the  current  non-classified literature,  but it is theoretically possible that such an attack may exist.  If this is a concern in your appli‐cation, use /dev/random instead.

So basically, using /dev/random results in the strongest and most random characters.  Only downfall is the wait needed unless you have a lot of noise or specific hardware to accelerate the process.

* I tested a cut and paste from this page and some of the lines did not work correctly due to either the CSS or WordPress doing something weird with the ‘ and ` symbols.  So if one of the strings do not work for you, try deleting the ‘ and adding it back in.

Creating random passwords which contains no special characters, is 10 characters long and displays 4

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Creating passwords which DO contain special characters, and is 12 characters long.  The grep at the end might seem a little redundant, but depending on how short your character length is (using fold), urandom will result in stings with no special characters.  Grep keeps that from happening here.

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'

Below shows just how quick it is to use ‘urandom’

$ time cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'

real    0m0.158s
user    0m0.028s
sys    0m0.048s

Now for better randomness we will use /dev/random.  This takes a lot longer on anything thats not server grade, or has special hardware.

$ time cat /dev/random| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' |fold -w 10| head -n 1| grep -i '[!@#$%^&*()_+{}|:<>?=]'


real    25m47.473s
user    0m0.032s
sys    0m0.172s

I tested this with /dev/random while writing the blog.  On this old laptop hardware, I was able to generate one 10 character string about every 20-30 minutes.

Now these stats were collected from a crappy laptop running Ubuntu.  Specs as follows:

# cat /proc/cpuinfo
processor    : 0
vendor_id    : GenuineIntel
cpu family    : 6
model        : 9
model name    : Intel(R) Pentium(R) M processor 1500MHz

and 2 gigs of ram.

If you haven’t caught on to the command string, the following can be modified to meet your standards:

- “tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’” any range or character can be removed.  I know some auth systems are not compatible with some characters
- “fold -w 10” this is the length cut off point of the string to be generated.  Increase or decrease for more or less characters.
- “head -n 4” just pulls four results.  If more or less is needed, modify this number.
Notes:    Yes, I know this is pseudo-random.  For the majority of people, using urandom will work just fine.  If not, /dev/random is a lot better.  To reach the best level, you can try using feeds from external sources.  People have used anything from external antennas, webcams, to nuclear decay

Wikipedia article

About these ads

~ by Kevin Goodman on January 7, 2009.

7 Responses to “Linux: Generating Strong Passwords Using random/urandom”

  1. You know what I like to do…

    dd if=/dev/urandom count=1 | md5sum

    Then I copy the resulting hash and use that as the password.
    Sometimes I also use

    dd if=/dev/random count=1 | openssl base64

    None of these passwords are human rememberable, so there’s usually no real reason not to make it 32 characters instead, and use copy+paste to enter passwords and store them in the password vault.

    Of course one can grab a few characters out of them and use that slice.

    The long tr commands are a bit much to type on a system.

  2. I agree, using tr makes the command hard to remember. I actually just copy and paste it when needed, or copy a list of generated ones to a pad for future use. I definitely do like you option of using md5sum. I was worried about passing non-ascii characters over, but looks like it works fine! When not mass generating accounts, I think I will actually use the md5sum method. Thanks!

  3. The output of md5sum is base 16, where as using tr with [:alnum:] gives you base 62. Given the same length, the tr method provides a much higher resolution password.

    I use:

    cat /dev/urandom | tr -dc [:alnum:] | head -c48; echo

  4. Nice. Just as fast and do not get the miscellaneous output that you would with the “dd” command. This is another good alternative simple command line argument to generate password(s). Thanks!

  5. [...] for an even more secure password. For more information on this (and other aspects) go and read this post. It should answer some, if not most, of your [...]

  6. echo `< /dev/urandom tr -dc '[:print:]' |fold -w 10| head -n 10`

  7. […] Source: […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 1,372 other followers

%d bloggers like this: