User Tools

Site Tools


security:misc:how-can-i-generate-a-secure-random-password

Generating Secure Passwords

It is important to make sure each and every password used for any type of account is strong. Before we get into how to generate these passwords, let's go over some of the characteristics of strong passwords.

Characteristics of Secure Passwords

Password security is one of the key parts of security of any application, whether it's a website, email address, or any other type of account in the server.1) It is very important that each and every password you use anywhere have all three of these features:

  • Long: It is very important that the password is long enough that someone attempting a bruteforce attack would need a very long time to guess it, even if they are guessing very quickly.
  • Randomized: It is very important not to use any dictionary words, phrases, or strings, that someone attempting a dictionary-based attack might try before starting to bruteforce their way through all possible choices. Since potential attackers are constantly updating their dictionaries with newly-common passwords, the best way to avoid a password eventually being in such a dictionary is to generate it completely randomized.
  • Unique: It is very important that passwords are not reused ever. Every time you reset a password, or make a password for a new account, it should be different from any other password you have used. This way, if one of your passwords does become compromised, the attackers will not be able to get into your other accounts with the same password.

The easiest way to fulfill all of these, is to regenerate a new password randomly, each time you create or reset a password of any kind.

Adding "special characters"2) can help make a password "effectively longer" without adding more characters. For this reason some applications will require you to use at least one of this type of character. However, applications differ on which special characters they allow. Additionally, if a password is long enough, then an alphanumeric password can still be as secure as a shorter password that has special characters. For this reason, it is probably easiest to generate a longer password with alphanumeric3) characters, and then add one or more special characters afterwards if required.4)

Storing the Passwords

It is also important when choosing a password, to consider how the password will be stored. You need to make sure you will have access to the password, but no one else will. "Ideally" you would memorize the password and never store it anywhere outside of your head, however, due to the faliability of human memory, this is not reliable for more than a small number of passwords, or for passwords that are not short. And a short, reused, or non-random password is going to be very easy for potential attackers to guess, which renders the password useless. So it is almost inevitable that the password will have to be stored somewhere.

It is not a good idea to store the password in a plain-text or weakly-obfuscated format in your computer, since it is very common for computer infections to find passwords in this way, and send them to attackers to use to log into your various accounts. For example, the web browser's password storage is one of the first places these infections will look, so it is especially not recommended to let the web browser itself store the passwords. Nor should you use a plaintext file on your desktop or in your documents folder, for the same reason. If you do need to store the passwords in your computer, it is recommended to use a program like KeePassX5) or a service like LastPass.6)

If you do not have a password manager like these, or if the password is for something like your workstation where you have to log in before being able to even access the password manager, the next best option would be to write the passwords down. It is very important not to lose this paper. It is also strongly recommended to obfuscate the passwords, as well as which account each password is for. Make sure that when looking at the page, you will know what the passwords are and what they go to, but that someone else looking at the page will know neither.

Generating the Passwords

If you do have a password manager like KeePassX or like LastPass, you can use the built-in password generator there, but it is also useful to know a few ways of generating strong passwords without use of these, in case you need to make up a password when you don't have these available to you. Here are some useful commands for generating long randomized passwords. If your computer uses Linux, Mac, or another Unix-like operating system, or if you are a Windows user using cygwin,7) you should be able to use these commands in your computer's commandline. If this is not possible, or if you prefer to generate the passwords from within your server, you can log in via SSH and run the commands there.8)

These commands show example output of what the output of the command might look like. Do NOT use these specific passwords! Run the desired command yourself to generate your own.

Here are some commands to get you started. To some extent, pieces of these can be mixed and matched to get different types of results. For advanced users, you can learn more about each of these commands by typing man urandom, man head, man base64, man tr, man cut, man cat, man echo, and/or man seq. More about for loops can be found here.

Generate one 50-character alphanumeric password

$ head -c 50 /dev/urandom | base64 | tr -d '/+=' | cut -c1-50
VIUmBnM5O6e9ULzrQIUbeBNxtifV3FnvxXguRNWUEkg7RLyj2O

Generate one 23-character alphanumeric password

$ head -c 23 /dev/urandom | base64 | tr -d '/+=' | cut -c1-23
hoof1VnzfCkvyjRQPlRcRzr

Generate one 16-character password, permitting specific special characters

Permitting characters [email protected]#$%^:

$ cat /dev/urandom | tr -dc '[:alnum:][email protected]#$%^' | head -c 16; echo ""
[email protected]

Generate five 16-character passwords, permitting specific special characters

Permitting characters $%^&*:

$ for each in $(seq 5); do cat /dev/urandom | tr -dc '[:alnum:]$%^&*' | head -c 16; echo ""; done
hVEa$sryiMfaJYEN
LqB7zjdPysdx43%p
Rf%9BkCuPUs1pLCH
efUodde*Msvgh0LR
xiQYFHE5HyOZPtzi

Generate five 23-character alphanumeric passwords

$ for each in $(seq 5); do head -c 23 /dev/urandom | base64 | tr -d '/+=' | cut -c1-23; done
D6vx2gjJrKLdmA3QpON8IvP
Cs41lyWMLsFQrmyTR0qLmnD
MVjASrpGdcQhH216JoCFxLf
ICaS1MwyWBFetQEKafJmrt2
jiKtKJqDEmZAiBtm667p83q
1)
or on any computer, device, or network
2)
such as [email protected]#$%^&*()_+=-{}|\][:"';<>?/.,
3)
ie, numbers and upper and lower case letters
4)
or if the application only allows short passwords
7)
or, if you are using a newer Windows version that has added support for these commands without needing something like cygwin
8)
Note for advanced users: These commands assume your shell is bash. If you are using something else, the syntax or commands for these tasks may vary.
security/misc/how-can-i-generate-a-secure-random-password.txt · Last modified: 2016/10/17 17:14 by Marjorie S.