Linux: Generating Strong Passwords Using random/urandom
Occasionally, I find myself logged into a system that does not have a random password application installed and do not want to go to the trouble of downloading one. Below is the easiest processes that I have found to generate a pretty random password from any Linux variant.
To begin, strait from the Linux man page:
/dev/random
When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. /dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.
/dev/urandom
A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current non-classified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your appli‐cation, use /dev/random instead.
So basically, using /dev/random results in the strongest and most random characters. Only downfall is the wait needed unless you have a lot of noise or specific hardware to accelerate the process.
* I tested a cut and paste from this page and some of the lines did not work correctly due to either the CSS or WordPress doing something weird with the ‘ and ` symbols. So if one of the strings do not work for you, try deleting the ‘ and adding it back in.
Creating random passwords which contains no special characters, is 10 characters long and displays 4
$ cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4 z4w7RENNIn ZOYg80cuQx Kgm6IrS5wc F741uiEXl6
Creating passwords which DO contain special characters, and is 12 characters long. The grep at the end might seem a little redundant, but depending on how short your character length is (using fold), urandom will result in stings with no special characters. Grep keeps that from happening here.
$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'
a(PYY5oid#2Z
>s#e)C5Kl=kc
63r)WBt9Y)^J
2_a5RLJV<CZH
Below shows just how quick it is to use ‘urandom’
$ time cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'
GiTG=JUu?OEN
UOAzoyQ:p>TQ
fQVa8@&wytnQ
$PaMT*70z|fh
real 0m0.158s
user 0m0.028s
sys 0m0.048s
Now for better randomness we will use /dev/random. This takes a lot longer on anything thats not server grade, or has special hardware.
$ time cat /dev/random| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' |fold -w 10| head -n 1| grep -i '[!@#$%^&*()_+{}|:<>?=]'
}>71Bw_DjN
real 25m47.473s
user 0m0.032s
sys 0m0.172s
I tested this with /dev/random while writing the blog. On this old laptop hardware, I was able to generate one 10 character string about every 20-30 minutes.
Now these stats were collected from a crappy laptop running Ubuntu. Specs as follows:
# cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 9 model name : Intel(R) Pentium(R) M processor 1500MHz
and 2 gigs of ram.
If you haven’t caught on to the command string, the following can be modified to meet your standards:
- “tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’” any range or character can be removed. I know some auth systems are not compatible with some characters
- “fold -w 10” this is the length cut off point of the string to be generated. Increase or decrease for more or less characters.
- “head -n 4” just pulls four results. If more or less is needed, modify this number.
Notes: Yes, I know this is pseudo-random. For the majority of people, using urandom will work just fine. If not, /dev/random is a lot better. To reach the best level, you can try using feeds from external sources. People have used anything from external antennas, webcams, to nuclear decay
Wikipedia article
You know what I like to do…
dd if=/dev/urandom count=1 | md5sum
Then I copy the resulting hash and use that as the password.
Sometimes I also use
dd if=/dev/random count=1 | openssl base64
None of these passwords are human rememberable, so there’s usually no real reason not to make it 32 characters instead, and use copy+paste to enter passwords and store them in the password vault.
Of course one can grab a few characters out of them and use that slice.
The long tr commands are a bit much to type on a system.
Draco said this on June 4, 2009 at 10:48 pm
I agree, using tr makes the command hard to remember. I actually just copy and paste it when needed, or copy a list of generated ones to a pad for future use. I definitely do like you option of using md5sum. I was worried about passing non-ascii characters over, but looks like it works fine! When not mass generating accounts, I think I will actually use the md5sum method. Thanks!
kcollo said this on June 5, 2009 at 8:47 am