Generate Random Passwords from the Command Line
Some of the most secure passwords you can use are those that are randomly generated. From the command line, you can randomize potential passwords in a multitude of ways, which can be used as secure passwords of generated characters.
We’ll cover several primary methods of generating random sequences and then show you how to combine commands to make the generated passwords even more random.
How to Generate Random Passwords via Command Line
First, we’ll try my go-to method that uses openssl:
openssl rand -base64 6
The output of this command will be completely random, and look something like: cG/ah3+9
You can adjust the length of the password by changing the number on the end of the string. If you don’t want to end up with any abnormal characters like / and +, you can generate from hex too:
openssl rand -hex 4
If that isn’t random enough, you can pipe the randomized output of openssl through md5 and trim the md5 hash of the randomized output down to a set number of characters:
openssl rand -base64 8 |md5 |head -c8;echo
You can also get creative and take random input from other commands, such as date, and trim 8 characters from the current dates md5 hash:
date |md5 | head -c8; echo
Or even ping:
ping -c 1 yahoo.com |md5 | head -c8; echo
Using the md5 method, you can take the output of any command, or file, to create a secure password.
Obviously all of these randomized passwords aren’t easy to remember, which is why it can be helpful to use a password manager, but that’s another topic.
I love how everyone is ranting about using hex (16 symbols) instead of the output of `openssl rand -base64` directly (64 characters), because it’s losing 2 bits of entropy per character, but no-one notices that `date | whatever` will only ever give you about 24 bits of entropy, if you know which year the password has been generated in.
To the editors: Please remove the advice of using `date` as a source of randomness. Calling it a “source of randomness” doesn’t make sense.
I love how everyone is ranting about using hex (16 symbols) instead of the output of `openssl rand -base64` directly (64 characters), because it’s losing 2 bits of entropy per character, but no-one notices that `date | whatever` will only ever give you about 24 bits of entropy, if you know which year the password has been generated in. 🤦
To the editors: Please remove the advice of using `date` as a source of randomness. Calling it a “source of randomness” doesn’t make sense.
# Random Password Generator function in ~/.bash_profile
#
genpasswd() {
local l=$1
[ “$l” == “” ] && l=20
LC_CTYPE=C tr -dc A-Za-z0-9_ < /dev/urandom | head -c $l | xargs
}
Example:
$ genpasswd 28
G12El6NcUhcUf8vAK3wpw8TufrNU
$ genpasswd
skr2g6iXNFbMID5tkX2n
For the love of little green onions, DON’T run your random base64 output through md5, or sha256, or any other such hash, and DON’T use openssl rand -hex. Doing so will limit the available characters in your password to the digits 0-9 and the letters a-f, usually lowercase — a VERY small keyspace compared to the full output range of base64.
Either use the built in generator in your favorite Password Safe port, or use the full range of output from something like openssl rand -base64 n’ (where n’ is 3/4 of the length you want for your password).
have you ever noticed that the output of md5 function is in HEX? that means only 16 char alphabet, probably the name of your dog+some random date+some punctuaction is even better.
[…] generation tool or even command line access, especially if you didn’t memorize or alias the proper command syntax to randomly generate one in the first place. Plus let’s face it, in many situations […]
What jch said ^
The last example, using the output of “ping -c1 yahoo.com” is an appallingly bad way to choose a random password. Even the most optimistic assumptions about the variability of ping time is only going to give you about 100,000 different passwords. On the other hand, eight bytes of base 64 encoded randomness from openssl is going to give you 281 trillion passwords.
[…] If you’re bad at picking passwords or you just want the security advantages of randomness, generate one randomly from the command […]
I love the power of the command line, but if you’re going to use a password manager you might just as well use the pwm’s built-in random generator …
If you have macports installed, you could use the ‘pwgen’ command for more options.
The random function of openssl alone should be adequate, the rest is just showing off and integrating further complexity, which is great for even further obfuscation but it’s likely unnecessary for the average user.
I’d also recommend including the first 2-3 characters of the service or site question at the beginning, it helps to aid recall.