How to create strong passwords in Linux?

Question

I wonder how I can create strong passwords on Linux (for both normal and admin users) and if there are specific programs to do that.

Answer 1

pwgen is one of many programs for generating passwords

Answer 2

Personally, I prefer not to use password generator as password generated are very hard to remember, but one portable solution is to use /dev/urandom

Creating random passwords which contains no special characters, is 10 characters long:

$ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 10` 
dyxJRKldvp

This works by grabbing bytes from /dev/urandom, deleting the ones that don't fit the pattern specified in the tr command, and limiting it to 10 characters with head.

Creating random passwords which contains special characters, is 10 characters long:

$ cat /dev/urandom | tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' | fold -w 10 | grep -i '[!@#$%^&*()_+{}|:<>?=]' | head -n 1
MSF4wj@vP0

This uses a slightly different technique after tr removes unwanted bytes, as the idea is to force it to have at least one special character. This works by using the fold command to wrap the line into groups of 10, then using grep to fetch only lines that contain a special character. head then fetches the first password that meets the requirements.

Answer 3

I wrote this little script a few years ago and have been using it ever since. If anything, it's an interesting abuse of printf and uses a lovely feature of BASH that I unfortunately rarely see in scripts: typeset.

#!/usr/bin/env bash
# Released into public domain
# Aaron Bockover, 2005
# http://abock.org

typeset -i length; length=$1
typeset -i rounds; rounds=$2
[ $rounds -lt 1 ] && rounds=1
[ $length -lt 1 ] && {
    echo "Usage: $0 <length> [<rounds>]" 2>/dev/null; exit 1;
}
for ((i=0; i < $rounds; i++)); do
    for ((j=0; j < $length; j++)); do
        set=$(($RANDOM % 20))
        if   [ $set -le 6 ];  then o=65; l=26; # 35% uppercase
        elif [ $set -le 13 ]; then o=97; l=26; # 35% lowercase
        elif [ $set -le 17 ]; then o=48; l=10; # 20% numeric
        elif [ $set -le 18 ]; then o=58; l=7;  # 10% symbolic
        elif [ $set -le 19 ]; then o=33; l=15; fi
        ord=$(($o + $RANDOM % $l))
        printf \\$(($ord / 64 * 100 + $ord % 64 / 8 * 10 + $ord % 8))
    done
    echo
done

Answer 4

apg is not a bad choice if you want password that can be easily remembered.

; apg -m 16 -a 0 -t
ByajNudgolIston9 (Byaj-Nud-gol-Ist-on-NINE)
Af}ockhuecUjrak8 (Af-RIGHT_BRACE-ock-huec-Uj-rak-EIGHT)
IakijKadmomIvgig (Iak-ij-Kad-mom-Iv-gig)
NutIlOsyahodBeef (Nut-Il-Os-ya-hod-Beef)
anMechOybekazell (an-Mech-Oyb-ek-az-ell)
VumushCummAd{fra (Vum-ush-Cumm-Ad-LEFT_BRACE-fra)

Note that according to this, your password should be at least 12 characters long.

Answer 5

I'd also add KeePassX which gives you the option of using system entropy to generate strong passwords with a few nice features - all using GUI. It also gives you the option of managing your passwords, and saving them to an encrypted file.

This is how KPX password generator interface looks like:

Answer 6

I use a non random, but is varied enough for all attack purposes... master password, and last pass to generate other passwords. Here's how I generate the master password.

echo -n "some seed" |  openssl dgst -binary -sha1 | base64 | sed -e 's/.\{4\}/& /g'

and the output

H1sI Wpbj JE2P CdVJ A1qb 9B/e u7M= 

now just pick a few of the sections and make a password, rearrange them, leave some out, add a character or 2 to make it as good as random. As long as you can remember your seed you can regenerate this, and recover your password (so long as you don't make too many modifications)

Answer 7

Here's a one-off script for generating XKCD-style passphrases. /usr/share/dict/words isn't a great dictionary for this since most of the words are long, but it is easily available. For nicer passphrases you could use a dictionary of short words such as the S/Key One-Time Password word list.

dict="/usr/share/dict/words"
max="`wc -l <"$dict"`" \
    perl -e '$count=4;
        $/=\4; while (<>) {
            print unpack('L') % $ENV{max} + 1, qq(\n); last unless --$count
        }' /dev/urandom | 
    while read n ; do 
        tail -n "+$n" "$dict" | head -1
    done

Answer 8

pwgen is a wonderful little cli tool that let's you specify a number of parameters to set complexity, character classes number of passwords to generate, length, etc.

Answer 9

I have two aliases added to my .zshrc.local file to create strong passwords.

The first is:

alias pw.graph="cat /dev/urandom | tr -dc '[:graph:]' | fold -w 1000 | perl -pe 's/(.)(?=.*?\1)//g' | head -n 5"

The output of typing pw.graph is five lines of every character that can be typed on a keyboard with the exception of the space bar:

/d=|&mRq!g$QaNZ'L;CfEli,D3\)*h-jkerzv?{y"_Ic(0BtxJwF59:@G}KV1X2o>S~[#]s+W%A.<6bpTO^uP7U4HMYn`8
RIdW87{a4O3][?&rTn=m/:Y`_u*hqy2c%s@!ZPM$5to1f-.U9ClK,)'jDi0"pw>EzN^|gX~BSAJk\VFG(H<bx}+Q6#vL;e
s^H@yEo/X$|d?_jw7-n'l>m"Cb\W5.tTe0APB1D!#69[p+(8x}F&~RM`q3Q%vhfOiUZz]ucJk:)*agGV;=NY4{,K2SLrI<
$/t|!s}og5u:X~hcJUyYHf>;l<zDedL`.T*K8]CBSW[(xw+Mm^E3r16b-97%'@jVR{ZG#0p4AP=,I?\n&"a)vqNkQ2iO_F
,7n|^Y\%MpeBqvhI3mE<9zPS/~+sU`4ZoCWl&uxd'ft"kjcOy0X!{a-T_6RKiVg5Hb21D)w>@*N8;A[(rLG=$Q:.#]FJ?}

The second is:

alias pw.alnum="cat /dev/urandom | tr -dc '[:alnum:]' | fold -w 1000 | perl -pe 's/(.)(?=.*?\1)//g' | head -n 5"

The output of typing pw.alnum is every printable letter and number both upper and lower case:

E6wgCfVBbXjyzYQ8USKl79LqPih0e5mvGrNHd3osaW2OxkJ1RM4nFTtcuZIpDA
GTvQON1dsZSpJmegBMK6bqnEciU7k0AoV2H4Wh53zr9YRfLlDxywXItu8CjPFa
6u1Db9MfyBApZdU7gqoV2PGwH5LcxWi3JNj8nkQCIThezSlYEXsOtrmF04KvaR
VFrsGwI9yAmabEnlRTKgZO23vUq4f6LHkzQP7tMjNW8ph1exuDoBCXSd50JciY
G3r6Em5tlfjQARJx9gWHes7bCVwkzcP48KaSIXyUFBMLqT0op1uDNdih2nYZOv

I typically use pw.graph and copy a random portion of the line. Some passwords do not allow symbols so I use a portion of pw.alnum for that.

Answer 10

I use this saved as a .html file:

<script>
var keylist="abcdefghijklmnopqrstuvwxyzABCEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*_"
var temp=''

function generatepass(plength){
temp=''
for (i=0;i<plength;i++)
temp+=keylist.charAt(Math.floor(Math.random()*keylist.length))
return temp
}

function populateform(enterlength){
document.pgenerate.output.value=generatepass(enterlength)
}
</script>

<form name="pgenerate">
<input type="text" size=32 name="output">
<input type="button" value="Generate Password" onClick="populateform(this.form.thelength.value)"><br />
<b>Password Length:</b> <input type="text" name="thelength" size=3 value="32">
</form>

Answer 11

If you are a GNOME user and you also need to store passwords for your various accounts you can try the Revelation password manager. It has a basic password generator feature, in that you only set the password length and choose if to include punctuation characters besides letters and digits.

Answer 12

Correct me if I'm wrong, but: As far as I understood it, there is no way a computer can come up with a completely random string. So I came up with the following idea [and hope it isn't completely stupid]:

If one throws a 26-sided dice, the chance to throw, say 26 is 1:26. In other words: The chance to throw 26 is about 0.04%. Further, a dice has no memory and no bugs. I came up with the following idea:

• get a 26 sided dice, where each side matches a letter of the alphabet
• get a ten sided dice where each side matches a number between 0 and 9
• flip a coin
• head means: throw letter dice
• tails means: throw number dice

Paper Models to print out:

• 10 sided dice: http://www.korthalsaltes.com/model.php?name_en=decahedron
• 26 sided dice: http://www.korthalsaltes.com/model.php?name_en=rhombicuboctahedron

Note: I'm not a Math Pro and I came up with this idea after reading an article in 2600 magazine which described this. I just added some of my own ideas on the basic concept.

Also: I wonder if this isn't just a perfect example for 'write your first brute force password cracker'. But your question gave me a perfect reason to bring forth this idea for being discussed.