How to generate a random string?

Question

I would like to generate a random string (e.g. passwords, user names, etc.). It should be possible to specify the needed length (e.g. 13 chars).

What tools can I use?

(For security and privacy reasons, it is preferable that strings are generated off-line, as opposed to online on a website.)

Answer 1

My favorite way to do it is by using /dev/urandom together with tr to delete unwanted characters. For instance, to get only digits and letters:

tr -dc A-Za-z0-9 </dev/urandom | head -c 13; echo

Alternatively, to include more characters from the OWASP password special characters list:

tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 13; echo

If you have some problems with tr complaining about the input, try adding LC_ALL=C like this:

LC_ALL=C tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 13; echo

tr also has a character class for graphical characters that is a bit more readable. Limiting it to the C locale should produce the same kind of output as the above explicit list of characters:

LC_ALL=C tr -dc '[:graph:]' </dev/urandom | head -c 13; echo

Answer 2

I am using the openssl command, the swiss army knife of cryptography.

openssl rand -base64 12

or

openssl rand -hex 12

Answer 3

To generate a random password you can use pwgen:

pwgen generates random, meaningless but pronounceable passwords. These passwords contain either only lowercase letters, or upper and lower case mixed, or digits thrown in. Uppercase letters and digits are placed in a way that eases remembering their position when memorizing only the word.

Generate 7 passwords of length 13:

geek@liv-inspiron:~$ pwgen 13 7
Eu7Teadiphaec giepahl3Oyaiy iecoo9Aetaib4 phaiChae6Eivi athoo3igee8Co
Iphu4ufeDeelo aesoYi2lie9he 

As mentioned in the comments, you can avoid reducing entropy by using the -s argument (i.e. generate more secure, completely random but hard to remember passwords):

geek@liv-inspiron:~$ pwgen -s 13 7
eAfycrPlM4cYv 4MRXmZmyIVNBp D8y71iqjG7Zq7 FQRHcserl4R8O yRCUtPtV3dsqV
0vJpp2h0OrgF1 QTp7MKtJyTrjz 

For brew users, see here.

---

To generate random user names you can use gpw:

This package generates pronounceable passwords. It uses the statistics of three-letter combinations (trigraphs) taken from whatever dictionaries you feed it.

Generate 7 passwords (user names) of length 13:

geek@liv-inspiron:~$ gpw 7 13
sreepoidahsas
risadiestinge
ntodynesssine
deodstestress
natinglumperm
riasigentspir
enderiferback

Answer 4

Inspired by Pablo Repetto I ended up with this easy to remember solution:

shuf -er -n20  {A..Z} {a..z} {0..9} | tr -d '\n'

-e echoes the result

-r allows any character to appear multiple times

-n20 requests a random string with a length of 20 characters

{A..Z} {a..z} {0..9} defines the allowed char classes

shuf is part of coreutils and widely available or at least been ported.

Answer 5

Here is how, I do it. It generates 10 characters random string. You can optimize it by replacing the "fold", with other string processing tools.

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1

Answer 6

To generate password with the highest entropy possible with standard Linux tools that are built into every distribution I use:

< /dev/urandom tr -cd "[:print:]" | head -c 32; echo

This outputs all of the ASCII printable characters - from 32 (space) to 126 (tilde, ~). The password length can be controlled with the head's -c flag. There are also other possible character sets in tr (to not include the space, just characters 33-126, use [:graph:]).

Answer 7

Use the xxd command to specify length (via -l), which works both in Linux and macOS.  See the xxd(1) man page or the Linux xxd Command Tutorial for Beginners (with Examples).

xxd -l16 -ps /dev/urandom

Answer 8

Depending on the level of randomness you want, you could simply go with bash's (also zsh and ksh, possibly others) builtin $RANDOM variable:

$ echo $RANDOM | tr '[0-9]' '[a-z]'
bfeci
$ echo $RANDOM | tr '[0-9]' '[a-z]'
cijjj

The methods reading directly from /dev/urandom are far simpler, but for the sake of completion, you could also use $RANDOM:

echo $(for((i=1;i<=13;i++)); do printf '%s' "${RANDOM:0:1}"; done) | tr '[0-9]' '[a-z]'

Important: this solution will only produce random strings using the first 10 letters of the alphabet. Whether or not that is enough for you depends on what you need this for.

Answer 9

APG is included by default on some Linux distributions.

To generate passwords from size 5 to 10 in subsets Special, Numeric, Capital and Lower, the command is:

apg -MSNCL -m 5 -x 10

And returns

@OpVeyhym9
3:Glul
3DroomIc?
hed&Os0
NefIj%Ob3
35Quok}

As said by @landroni in comment.

Answer 10

I use:

base64 < /dev/urandom | tr -d 'O0Il1+/' | head -c 44; printf '\n'

This gives me 57 possible characters. The string can be copy-pasted (removed + and /) or printed and retyped as the difficult to distinguish characters (I1lO0) have been removed.

• 44 characters gives me: log₂(57⁴⁴) > 256.64 bits of entropy
• 22 characters gives me: log₂(57²²) > 128.32 bits of entropy

I like this because:

• the command is simple to type and memorable
• it uses standard system tools - no extra binaries
• doesn't "waste" much randomness (uses 89% of the random bits it receives vs ~24% for solutions directly piping to tr)
• 22 and 44 characters pair quite nicely (just above even) common power of two breakpoints
• the output can be easily selected and pasted or printed and retyped with minimal human error rates
• shorter than hex encoded (32 and 64 instead of 22 and 44) solutions such as md5sum/sha1sum, etc.

Credit to https://unix.stackexchange.com/a/230676/9583 and especially the comments for my initial inspiration.

Answer 11

@Brandin explained in a comment to another answer how to get at most 100 bytes from /dev/urandom using head -c 100. Another way to do this is with dd:

tr -dc A-Za-z0-9 < /dev/urandom | dd bs=100 count=1 2>/dev/null

The 2>/dev/null at the end of the dd command is to suppress the "... records in / ... records out" output.

I'm not aware of any substantial advantages/disadvantages between these two methods.

I had an issue with both methods of tr complaining about the input. I thought this was because it didn't like receiving binary input, and hence suggested first filtering /dev/random with iconv -c -t US. However, Gilles suggested a different diagnosis and solution, which works for me:

LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | dd bs=100 count=1 2>/dev/null

Answer 12

You can use one of md5 tools that has precisely this purpose. In the case of creating a completely random password you can use the md5pass. It is a very simple tool to use and very helpful, since you can use "normal text" together with a "salt" to jump-bit construction of the same password that you can recover afterwards, or alternatively you may want to get a completely random password all the time. The general usage is:

md5pass [password] [salt]

where password is a chosen word that will be used for the construction of the random string and salt is the jump in bytes to be used. Like this:

md5pass word

$1$.MUittVW$j.XDTF1QRnxqFdXRUiSLs0

This will create a "a random sequence" password for you to use. If you use no salt, then you may not be able to recreate this same string afterwards.

However if you use a salt like this:

md5pass word 512

$1$512$.0jcLPQ83jgszaPT8xzds0

then you can create a sequence which you can recover if you use the word in conjunction with the same salt (or jump) if it was originally defined.

Answer 13

These two commands generate random passwords and passphrases, respectively.

shuf --random-source=/dev/urandom --repeat --head-count=20 file_with_characters | tr --delete '\n'

shuf --random-source=/dev/urandom --repeat --head-count=7 file_with_words | tr '\n' ' '

The password generator requires a file_with_characters containing all the characters you want the password to use, one character per line, and exactly one time each. The file must not contain blank lines, and lines must be newline-terminated.

The passphrase generator requires a file_with_words containing all the words you want the passphrase to use, one word per line, and exactly one time each. The file must not contain blank lines, and lines must be newline-terminated.

The --head-count option specifies the length of the password--in characters--or passphrase--in words.

Answer 14

I've found that piping /dev/urandom to tr on macOS didn't work. Here's another way:

set="abcdefghijklmonpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
n=6
rand=""
for i in `seq 1 $n`; do
    char=${set:$RANDOM % ${#set}:1}
    rand+=$char
done
echo $rand

Answer 15

I would like to contribute my usual command to generate a password

$ cat /dev/urandom | base64 | head -n 1 |tr -dc '[:alnum:]' |cut -c -13
b0R55751vWW9V

To configure the length of the password, change the number in the cut command to the length that you require, for example, 24 character

$ cat /dev/urandom | base64 | head -n 1 |tr -dc '[:alnum:]' |cut -c -24
WFBhVHuKbrnRhd5kdWXPzmZG

Don't want confusing 0 or O, 1 or l? Filter it out with another tr

$ cat /dev/urandom | base64 | head -n 1 |tr -dc '[:alnum:]' | tr -d '0O1l'|cut -c -24
JuCphwvhrhppD9wVqfpP2beG

I personally never prefer special character in password, that is why I only choose [:alnum:] for my password generator

Answer 16

pwgen, as everyone else has said, for passwords.

Lowercase only, secure, at least 1 number, 8 characters, 1 result

$ pwgen -snA 8 1
d14o5wgh

Same, but at least 1 uppercase

$ pwgen -csn 8 1
bMxDxcr4

A diceware cli for usernames, and passwords if you want, for something a little more recollection friendly; I use the pip package diceware, which is fine for my needs.

3 words and 2 symbols

$ diceware -n3 -s2
DemandingWhimsical*a1iar

I am sure there are at least 100 more, of which 74% are written in nodejs, because, uh.. well that's what they do. Whichever you do decide upon, I would prioritize built-in upcase/downcase, because you will have those contraints at some point, and performing either of those is annoyingly long in posix shell.

cheers

Answer 17

The Unix philosophy of "many small tools that do one thing well" serves you very well in this case.

• /dev/urandom is a stream of random "bytes" (which include non-printable characters)
• base64 encodes byte data into [A-Za-z0-9/+] (which is entirely printable)
• dd copies input to output applying modifiers given as arguments (which can include block size and block count)

OSX

base64     < /dev/urandom | dd bs=1k count=1

Linux

base64 -w0 < /dev/urandom | dd bs=1k count=1

Notes:

• If you need a subset of the characters, you can insert a modifier in the pipe.
  • Ex: tr -d '[A-Z/+]' to get rid of capital letters and + and /
• You can set the bs (block size) to whatever length you need.
• On Linux, base64 wraps to 76 columns by default and must be reset with -w0 unless you want that.

Answer 18

I got my way with grep:

grep -ao '[!-~]' < /dev/urandom | head -32 | tr -d '\n' ; echo ""

Without special characters:

grep -ao '[A-Za-z0-9]' < /dev/urandom | head -32 | tr -d '\n' ; echo ""

head defines the length of the string.

Answer 19

I maintain secpwgen in Alpine Linux & keep the sources on my Github.

It can produce random strings or diceware phrases:

musl64 [~]$ secpwgen
USAGE: secpwgen <-p[e] | -A[adhsy] | -r | -s[e]> N

PASSPHRASE of N words from Diceware dictionary
  -p    generate passphrase
  -pe   generate enhanced (with symbols) passphrase

SKEY PASSWORD of N words from S/Key dictionary
  -s    generate passphrase
  -se   generate enhanced (with symbols) passphrase

ASCII RANDOM of N elements (at least one option MUST be present)
  -A    Each letter adds the following random elements in output:
    a    alphanumeric characters
    d    decimal digits
    h    hexadecimal digits
    s    special characters
    y    3-4 letter syllables

RAW RANDOM
  -r    output BASE64 encoded string of N random BITS
  -k    output koremutake encoding of N random BITS

To generate a 13 character random string you would use:

musl64 [~]$ secpwgen -Aas 13
----------------
WK5#*V<]M3<CU ;ENTROPY=67.21 bits
----------------
INFO: destroying random number generator.
INFO: zeroing memory.

musl64 [~]$ secpwgen -Aa 13
----------------
GP0FIEBM9Y3BT ;ENTROPY=67.21 bits
----------------
INFO: destroying random number generator.
INFO: zeroing memory.

For users to remember a password use the diceware phrases:

musl64 [~]$ secpwgen -p 5
----------------
wq seen list n8 kerr  ;ENTROPY=65.00 bits
----------------
INFO: destroying random number generator.
INFO: zeroing memory.

I personally like:

musl64 [~]$ secpwgen -r 512
----------------
h62lL7G4gwh3/j9c7YteQvVXoqJrQKKPWVR3Lt7az36DcfWZWtUgBT19iwmJBwP4UahNzPe7qYD7OcklUFpCzQ== ;ENTROPY=512.00 bits
----------------
INFO: destroying random number generator.
INFO: zeroing memory.

Answer 20

Only using head y md5sum to generate hex passwords of length 22:

 head -c 2048 /dev/urandom | md5sum | head -c 22 ; echo

Ultra secure? Maybe not. Easy? Yes.

Answer 21

With a short bash script:

len=20
arr=( {33..126} ) arrcount=${#arr[@]}
for ((i=0; i<len; i++)); do
    printf \\$(printf '%03o' ${arr[RANDOM%arrcount]})
done; echo

If you prefer without specials characters, use:

arr=( {48..57} {65..90} {97..122} )

This is ascii decimal codes ranges, see man ascii

Answer 22

My way for a very secure password (where 16 is the pw length):

cat /dev/urandom | tr -cd [:graph:]|head -c 16

Example result:

jT@s_Nx]gH<wL~W}

Or alternatively, to generate multiple passwords:

cat /dev/urandom | tr -cd [:graph:]|fold -w 16|head -6

Example result:

7ck%G7'|f&}_8(]s
<?*]E.CG[NB'gK#A
:tF-WPTOa3!i7S(h
2xy(>=%3=Kb1B$`6
*98Lf{d?Jzb}6q1\
E7uCEAN2Hz]]y|5*

Little less secure (smaller character set):

cat /dev/urandom |base64 -w 0|fold -w 16|head -6

Example result:

rJqYxYZLOTV+A45w
PUKQ+BoBf6yfZw5m
+LRfpsN9CsLRiN8V
yMS6zDpL6NHmG17s
yTUWPG7Rum97schi
cognvjVwaKaAyPRK

Answer 23

None of the answers so far are truly cross-OS.

The main flaws are represented by the locale definition (MacOS case) and tr being unable to recognize intervals of characters (Solaris case).

You should try shlibs. It's fresh and truly cross-OS. The code to get a random string is shlibs str005 (./shlibs str005).

Get a random string of 50 chars, include puntuation, exclude numbers:

shlibs str005 50 -p -xd

Answer 24

This answer is similar to the /dev/urandom method but using openssl rand.

Generate random bytes large enough such that after filtering down to the desired characters, you still meet the required length.

Here, I generate 1000 random bytes for 10 alphanumeric characters a-zA-Z0-9:

LC_ALL=C tr -dc a-zA-Z0-9 < <(openssl rand 1000) | head -c10

Note that the above uses process substitution <(...). If your shell doesn't support it, you can create a temporary file:

openssl rand 1000 > random.tmp
LC_ALL=C tr -dc a-zA-Z0-9 < random.tmp | head -c10

Answer 25

A simple Bash script based on answer by @Gilles Quénot.

Example:

---

chmod +x './rand_string.sh';
Generate 1 string of length 64.
./rand_string.sh;
Generate 1 string of length 32.
./rand_string.sh 32;
Generate 4 strings of length 25.
./rand_string.sh 25 4;

Script ("rand_string.sh")

---

#! /usr/bin/env bash
set -eu;
Constants
----------------------------------------------------------------
declare -r _chars=(
    {48..57}   # 0-9
    {65..90}   # A-Z
    {97..122}  # a-z
{33..47}   # !"#$%&'()*+,-./
{58..64}   # :;<=>?@
{91..96}   # []^_`
{123..126} # {|}~
);
declare -r _lengthDefault=64;
declare -r _countDefault=1;
Functions
----------------------------------------------------------------
Main_generateString()
{
    # Options
declare length=&quot;$1&quot;;
shift || true;

# Main

declare charCount=&quot;${#_chars[@]}&quot;;
declare i;

for (( i=0; i &lt; length; i++ ));
do
    declare charHex; charHex=&quot;$( printf -- '%x' &quot;${_chars[RANDOM%charCount]}&quot;; )&quot;;
    printf -- &quot;\\x${charHex}&quot;;
done;

}
Main
----------------------------------------------------------------
main()
{
    # Options
declare length=&quot;${1:-$_lengthDefault}&quot;;
shift || true;
declare count=&quot;${1:-$_countDefault}&quot;;
shift || true;

# Main

declare i;

for (( i=0; i &lt; count; i++ ));
do
    Main_generateString &quot;$length&quot;;
    printf -- '\n';
done;

}
main "$@";

Answer 26

For lengths between 1 and 32, you can use uuidgen from libuuid or util-linux, simply replacing <LENGTH> below:

uuidgen -r | tr -d '-' | head -c <LENGTH>
or
random=$(uuidgen -r | tr -d '-') && echo "${random:0:<LENGTH>}"

Note: 6–7 of 128 bits are pre-determined and fixed.