KNOWNHOST KNOWLEDGE BASE

Hosting Question? Find the Solution - Browse our Guides, Articles, and How-To's

How can I generate a secure random password?

It is important to make sure each and every password used for any type of account is strong. Before we get into how to generate these passwords, let’s go over some of the characteristics of strong passwords.

Characteristics of Secure Passwords

Password security is one of the key parts of security of any application, whether it’s a website, email address, or any other type of account in the server (or on any computer, device, or network). It is very important that each and every password you use anywhere have all three of these features:

  • Long: It is very important that the password is long enough that someone attempting a bruteforce attack would need a very long time to guess it, even if they are guessing very quickly.
  • Randomized: It is very important not to use any dictionary words, phrases, or strings, that someone attempting a dictionary-based attack might try before starting to bruteforce their way through all possible choices. Since potential attackers are constantly updating their dictionaries with newly-common passwords, the best way to avoid a password eventually being in such a dictionary is to generate it completely randomized.
  • Unique: It is very important that passwords are not reused ever. Every time you reset a password, or make a password for a new account, it should be different from any other password you have used. This way, if one of your passwords does become compromised, the attackers will not be able to get into your other accounts with the same password.

The easiest way to fulfill all of these, is to regenerate a new password randomly, each time you create or reset a password of any kind.

Adding “special characters” (such as !@#$%^&*()_+=-{}|\][:"';<>?/.,) can help make a password “effectively longer” without adding more characters. For this reason some applications will require you to use at least one of this type of character. However, applications differ on which special characters they allow. Additionally, if a password is long enough, then an alphanumeric password can still be as secure as a shorter password that has special characters. For this reason, it is probably easiest to generate a longer password with alphanumeric (ie, numbers and upper and lower case letters) characters, and then add one or more special characters afterward if required (or if the application only allows short passwords).

Storing the Passwords

It is also important when choosing a password, to consider how the password will be stored. You need to make sure you will have access to the password, but no one else will. “Ideally” you would memorize the password and never store it anywhere outside of your head, however, due to the faliability of human memory, this is not reliable for more than a small number of passwords, or for passwords that are not short. And a short, reused, or non-random password is going to be very easy for potential attackers to guess, which renders the password useless. So it is almost inevitable that the password will have to be stored somewhere.

It is not a good idea to store the password in a plain-text or weakly-obfuscated format in your computer, since it is very common for computer infections to find passwords in this way, and send them to attackers to use to log into your various accounts. For example, the web browser’s password storage is one of the first places these infections will look, so it is especially not recommended to let the web browser itself store the passwords. Nor should you use a plaintext file on your desktop or in your documents folder, for the same reason. If you do need to store the passwords in your computer, it is recommended to use a program like KeePassX or a service like LastPass.

If you do not have a password manager like these, or if the password is for something like your workstation where you have to log in before being able to even access the password manager, the next best option would be to write the passwords down. It is very important not to lose this paper. It is also strongly recommended to obfuscate the passwords, as well as which account each password is for. Make sure that when looking at the page, you will know what the passwords are and what they go to, but that someone else looking at the page will know neither.

Generating the Passwords

If you do have a password manager like KeePassX or like LastPass, you can use the built-in password generator there, but it is also useful to know a few ways of generating strong passwords without use of these, in case you need to make up a password when you don’t have these available to you. Here are some useful commands for generating long randomized passwords. If your computer uses Linux, Mac, or another Unix-like operating system, or if you are a Windows user using cygwin (or, if you are using a newer Windows version that has added support for these commands without needing something like cygwin), you should be able to use these commands in your computer’s commandline. If this is not possible, or if you prefer to generate the passwords from within your server, you can log in via SSH and run the commands there bash. If you are using something else, the syntax or commands for these tasks may vary.))

These commands show example output of what the output of the command might look like. Do NOT use these specific passwords! Run the desired command yourself to generate your own.

Here are some commands to get you started. To some extent, pieces of these can be mixed and matched to get different types of results. For advanced users, you can learn more about each of these commands by typing man urandomman headman base64man trman cutman catman echo, and/or man seq. More about for loops can be found here.

Generate one 50-character alphanumeric password

  $ head -c 50 /dev/urandom | base64 | tr -d '/+=' | cut -c1-50
  VIUmBnM5O6e9ULzrQIUbeBNxtifV3FnvxXguRNWUEkg7RLyj2O

Generate one 23-character alphanumeric password

  $ head -c 23 /dev/urandom | base64 | tr -d '/+=' | cut -c1-23
  hoof1VnzfCkvyjRQPlRcRzr

Generate one 16-character password, permitting specific special characters

Permitting characters !@#$%^:

  $ cat /dev/urandom | tr -dc '[:alnum:]!@#$%^' | head -c 16; echo ""
  67Rxzg0oCN6S6Qk@

Generate five 16-character passwords, permitting specific special characters

Permitting characters $%^&*:

  $ for each in $(seq 5); do cat /dev/urandom | tr -dc '[:alnum:]$%^&*' | head -c 16; echo ""; done
  hVEa$sryiMfaJYEN
  LqB7zjdPysdx43%p
  Rf%9BkCuPUs1pLCH
  efUodde*Msvgh0LR
  xiQYFHE5HyOZPtzi

Generate five 23-character alphanumeric passwords

  $ for each in $(seq 5); do head -c 23 /dev/urandom | base64 | tr -d '/+=' | cut -c1-23; done
  D6vx2gjJrKLdmA3QpON8IvP
  Cs41lyWMLsFQrmyTR0qLmnD
  MVjASrpGdcQhH216JoCFxLf
  ICaS1MwyWBFetQEKafJmrt2
  jiKtKJqDEmZAiBtm667p83q