'passwd' password generator

[one_red_eye]

I like using the passwords generated by 'passwd'. Is there a way to use this mechanism to generate passwords without having to SSH into a linux machine?

Code: Select all

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters, digits, andother characters.  You can use a password containing at least 7 characters
from all of these classes, or a password containing at least 8 characters
from just 3 of these 4 classes.
An upper case letter that begins the password and a digit that ends it do notcount towards the number of character classes used.

A passphrase should be of at least 3 words, 11 to 72 characters long, and
contain enough different characters.

Alternatively, if no one else can see your terminal now, you can pick this asyour password: "Gun6urge5isaac".

Enter new password:

[alamahant]

[Administrator edit: As reported down thread, the mechanism in this post is not suitable for quality passwords, and should not be used. Readers should refer to later posts in the thread for stronger mechanisms of generating passwords. -Hu]

Hi

Code: Select all

date | md5sum

Should work in powershell also.
Maybe mac.

[Hu]

I like using the passwords generated by 'passwd'. Is there a way to use this mechanism to generate passwords without having to SSH into a linux machine?

You can use this when logged in locally, too. There is no need to ssh to a remote machine to run this command. Do you mean you are using some non-Linux system which lacks this command, and you want to run the command anyway?

[one_red_eye]

I use an Android device to SSH to a computer. There is no end to password generator websites and apps. I want to generate passwords based on the pattern above because I can actually remember them.

{word} {number or special character} {word} {number or special character} {word}

[Zucca]

That shouldn't be too hard to script.
You need to have some dictionary file to parse and the hardest part is done.

[pjp]

Dealing with special characters can cause some issues with output, but maybe that's my limitation.

Anyway, a basic start from which you can choose your own special characters: shuf -n 3 /usr/share/dict/words

[Hu]

The requirements still seem strange to me. You want to use neither a website nor an Android app, and you want to do this from an Android smartphone, so you don't have access to a proper Linux environment where you could just run passwd. Given those constraints, what can you run that could produce any output, while being local, not a website, and not an Android app?

If we set that aside and say you just need a Linux script, then this should do it:

Code: Select all

#!/bin/bash

set -eu
declare -a w n
w=( $( shuf -n3 /usr/share/dict/words ) )
n=( $( shuf -n2 -e \! \" \# \$ \% \& \' \( \) \* \+ \, \- \. \/ \: \; \< \= \> \? \@ \[ \\ \] \^ \_ \` \{ \| \} \~ ) )
printf '%s%s%s%s%s\n' "${w[0]}" "${n[0]}" "${w[1]}" "${n[1]}" "${w[2]}"

The most time consuming part turned out to be getting the special characters, because I wanted bash to generate those from a brace expansion. Once I gave up and listed them out, the rest was easy.

[spica]

I like using the passwords generated by 'passwd'. Is there a way to use this mechanism to generate passwords without having to SSH into a linux machine?

app-admin/pwgen

Code: Select all

$ pwgen -c -n -s -y 32
zhGTcx900.`CmSY12P=O8gtZSH=Uo&JL `0.K]Zt6k{gh2J^l"Lx$yv7f"4HPdy^P
e8RJ<)7=2[fCu`2[`G!lsis^{s@j1:tg nz;PW6ZXQKs>3V#>S)x*~z@ob=Oije9>
di0>>#OmPivnQ3ru#P./Fe%Mv?uE!JBZ $Nwv:e$C2$;m!KWw4MAletHkKBj0_F;;
Q'u[`=2Ev"J|)x:fx4KXF]K9LUD[+!S| |Xg_|\:m[g,G7x1zSlO<OH")8C>cHl}I
!$ChDY_'%+Jp@/IGV*75;E{58:%azWJY .fS8ss6o5G+^v_QRVq}7}\$V]g'D;V?1
GcgV;6A./yMy^y3[h#||5BF\a~[lsXvl *R_@gNL,g=y7Nz0AX?q*6jF4U22/Gtg`

Upd: man 1 pwgen - generate pronounceable passwords

The pwgen program generates passwords which are designed to be easily memorized by humans

Code: Select all

$ pwgen 12
soaShoh1fae0 thuTo0xae7Ki uMo4iac1meid IePhais2voph gu2chaigoCah aiK5eixieY6u
oox9ooB9Wei6 shaeHoon7zah oi3Ahfo9zore eg9ahPhaesee EiGhae8om3ie aoyoh8eeKo5u
Dee7Fah0Mooh ongaebohVo3o fie1chohShi6 hee1eecei5Sh ceiXu8ooqu3l la1eiSh3ahng
aif4eiZ2xae3 veiToh2dohz0 Iehagoe5eigu loo2ahgaiw1S tohLeaX9aihu ong5eYu9Eing

[one_red_eye]

The requirements still seem strange to me. You want to use neither a website nor an Android app, and you want to do this from an Android smartphone, so you don't have access to a proper Linux environment where you could just run passwd. Given those constraints, what can you run that could produce any output, while being local, not a website, and not an Android app?

If we set that aside and say you just need a Linux script, then this should do it:

Code: Select all

#!/bin/bash

set -eu
declare -a w n
w=( $( shuf -n3 /usr/share/dict/words ) )
n=( $( shuf -n2 -e \! " \# \$ \% \& \' \( \) \* \+ \, \- \. \/ \: \; \< \= \> \? \@ \[ \\ \] \^ \_ \` \{ \| \} \~ ) )
printf '%s%s%s%s%s\n' "${w[0]}" "${n[0]}" "${w[1]}" "${n[1]}" "${w[2]}"

The most time consuming part turned out to be getting the special characters, because I wanted bash to generate those from a brace expansion. Once I gave up and listed them out, the rest was easy.

That's awesome! One question, how do I randomly capitalize the first letter of the words before it goes to output?

[pjp]

Once I gave up and listed them out, the rest was easy.

Interesting. I didn't think I had useful results with shuf's -e option. The only reference I see in my history seems to have worked, so I too must have wanted to avoid listing them all out. Which I ended up doing a different way (that didn't work), so I must have forgotten about -e. Avoiding arrays adds some extra stimulation.

[Hu]

That's awesome! One question, how do I randomly capitalize the first letter of the words before it goes to output?

The randomness comes from shuf, and shuf does not seem to offer that. However, you could fake it by having bash transform the results before printing. If you wanted to always capitalize a word, use "${w[0]^}". To do it randomly, you would need bash to flip it.

Code: Select all

#!/bin/bash

set -efu
declare -a w n
w=( $( shuf -n3 /usr/share/dict/words ) )
n=( $( shuf -n2 -e \! " \# \$ \% \& \' \( \) \* \+ \, \- \. \/ \: \; \< \= \> \? \@ \[ \\ \] \^ \_ \` \{ \| \} \~ ) )
for i in {0..2}; do
	if [[ $(( $RANDOM % 2 )) = 0 ]]; then
		w[$i]="${w[$i]^}"
	fi
done
printf '%s%s%s%s%s\n' "${w[0]}" "${n[0]}" "${w[1]}" "${n[1]}" "${w[2]}"

This also fixes a bug in the earlier version that allowed * to expand as a file glob.

[figueroa]

BTW, sha1pass generates a pretty good password, but you definitely won't remember it. sha1pass comes from sys-boot/syslinux.

[forrestfunk81]

Use Keepass.
Its available for Linux (KeepassXC) and Android (Keepass2), it can generate passwords in many configurable ways and helps you remember your passwords. Just share the encrypted kdbx file via Nextcloud or something similiar between your devices.

[figueroa]

My encrypted passwords and other secrets file is NOT going to be placed on any company's storage on the internet.

[forrestfunk81]

My encrypted passwords and other secrets file is NOT going to be placed on any company's storage on the internet.

Mine neither! You can host NextCloud or similiar file exchange services by yourself

[figueroa]

My encrypted passwords and other secrets file is NOT going to be placed on any company's storage on the internet.

Mine neither! You can host NextCloud or similiar file exchange services by yourself

Within my network(s) I just use SFTP and NFS. I only use common Unix/Linux software in order to not be dependent on ever changing 3rd party applications. I am, admittedly, old-school and lightly paranoid.

[spica]

These fancy passwords are generated by a code from sys-auth/passwdqc, see man 1 pwqgen

[eccerr0r]

Again going to the password strength meter one liner:

Code: Select all

$ echo $(egrep '^[a-z]{4,7}$' /usr/share/dict/words|shuf -n4)|tr -d ' '

I chose to remove the words with too many or too few characters, words with apostrophes, hyphens, or capitalization, and I think this should still be be in the spirit.
Removing the spaces is optional of course.

I just wonder how long it would take the above script to generate correcthorsebatterystaple....

[Hu]

I see ~48k words that match your filter[1]. I think this is an N-choose-R problem. Since we care about order, the probability of hitting the right choice on any given try is ~.00000000000000000018 (1 / (48458 * 48457 * 48456 * 48455)).

You could avoid the use of tr with a careful printf: printf '%s%s%s%s\n' $(grep -E '^[a-z]{4,7}$' /usr/share/dict/words|shuf -n4). If you want it to work regardless of the shuffle count, you could use { printf '%s' $(grep -E '^[a-z]{4,7}$' /usr/share/dict/words|shuf -n4); echo; } This relies on printf to discard the whitespace (newlines), then uses a bare echo to emit a newline at the end.

[1]:

Code: Select all

)$ grep -E '^[a-z]{4,7}$' /usr/share/dict/words -c
48458

[eccerr0r]

These no-numbers xkcd password generators, one could salt them by just appending or prepending your birthday or year and would make it even worse to guess, no real need to intersperse the digits. Jury's still out on spaces or not. Either way to take advantage of it, one would have to know you did omit them or not, and that's another bit of entropy!

[flexibeast]

(As an aside, to get a Linux environment on one's Android device, without root, there's Termux.)

[Leonardo.b]

I always try to genetate strong passwords and keep them safe, even for crappy sites.
Then I've tried to open a bank account, and the last step of onboarding requested me a password of MAXIMUM lenght 6 chars, no symbols allowed.

[eccerr0r]

technically speaking your account username for banks is a kind of password since there's no real need to share that information (unless you use it on other sites, which is also a "bad idea"). So a bit of entropy is there too to prevent hacking as long as account lists don't get disclosed...

Granted a stored hash of a password is more secure than plaintext account names.

This doesn't apply for un*x account names as it's typically shared for email or ls -l ...

[Leonardo.b]

Said bank relies on phone authentication by SMS, password is in top of that. But I don't consider it safe enough for my moneys.
By the way, I know they store passwords in plain text too.

[b11n]

Code: Select all

date | md5sum

It seems like it generates a strong password, but it really doesn't. Cryptographically, it's barely any better than just using the output of `date` itself. If an attacker suspects targets are using such a method to generate passwords, it drastically reduces the effort to mount brute-force attacks.

Sorry to dig up an old post, but this is a Bad Idea that shouldn't be left unchallenged. Could an admin please flag it as such for anyone who might find it?

[Administrator response: I thought the later posts were sufficient, but adding a warning is easy enough, so done. -Hu]