How to generate a secure password?

There are no 100% secure passwords. Cracking any password is just a matter of time. But as programmers, we can make it harder.

Daily I use Ubuntu. The solutions provided will therefore apply to this environment. But these solutions are available on various Linux distributions.

Little improvisation

This way is to use Linux commands and a dictionary file. The shuf command will randomize a few words. And tr will remove the enters and this way we get a long password. Long doesnโ€™t mean safe.

$ shuf -n8 /usr/share/dict/words | tr -d '\n'
PentaxAlsopwigwamsunsureexplorationsupposedlyattiresignalling

This idea is taken from Stack Overflow. I strongly advise against generating a password in this way.

pwgen

Pwgen is a tool for automatic password generation. Pwgen generates random, meaningless but pronounceable passwords. The term pronounceable and a password of several dozen letters are in my opinion an oxymoron. The generated passwords include only lowercase letters, or upper and lower case mixed, or digits. For better memorization, capital letters and numbers are placed in the appropriate positions. It gives the impression of constructed words. The pwgen command with no parameters will generate 160 eight-characters passwords. Usually, one password is needed. Moreover, eight letters in a password are definitely not enough.

Click here to see how to install pwgen.

Installing pwgen:

sudo apt install pwgen


To generate 1 password with 32 characters:

$ pwgen 32 1
gugoqu0Ziu4unguori7Ehooroo4eic1o

Need more characters in your password? No problem.

$ pwgen 48 1
ahr6ejei4uithohloh9aib8IeY4zu4KaecuGheijo0IngooV

Even more password characters? Your wish is my command.

$ pwgen 64 1
eem1Aighehupuaphie5eo5Apah3baataegahxiec3quenaeMieH6eiMaj9hai0Oh
Click here to see a pwgen parameter list.

$ pwgen -h
Usage: pwgen [ OPTIONS ] [ pw_length ] [ num_pw ]

Options supported by pwgen:
  -c or --capitalize
	Include at least one capital letter in the password
  -A or --no-capitalize
	Don't include capital letters in the password
  -n or --numerals
	Include at least one number in the password
  -0 or --no-numerals
	Don't include numbers in the password
  -y or --symbols
	Include at least one special symbol in the password
  -r <chars> or --remove-chars=<chars>
	Remove characters from the set of characters to generate passwords
  -s or --secure
	Generate completely random passwords
  -B or --ambiguous
	Don't include ambiguous characters in the password
  -h or --help
	Print a help message
  -H or --sha1=path/to/file[#seed]
	Use sha1 hash of given file as a (not so) random generator
  -C
	Print the generated passwords in columns
  -1
	Don't print the generated passwords in columns
  -v or --no-vowels
	Do not use any vowels so as to avoid accidental nasty words


Regarding security, I think itโ€™s worth reading the Anarcat post. The author strongly advises against using pwgen.

apg

APG means Automated Password Generator.

Click here to see how to install apg.

Installing apg:

sudo apt install apg


apg uses two algorithms to generate passwords. The first is based on an algorithm for generating pronounced passwords. The second is an algorithm for generating passwords with random characters. This first algorithm is outdated. His vulnerabilities were discussed at the National Computer Security Conference. This second algorithm has 35 configurable operating modes.

The apg command generates several passwords by default.

$ apg
^ovWiffAsdelv1 (CIRCUMFLEX-ov-Wiff-As-delv-ONE)
Opp\knis8 (Opp-BACKSLASH-knis-EIGHT)
tyob9Ok* (tyob-NINE-Ok-ASTERISK)
Igyat2orIct[ (Ig-yat-TWO-or-Ict-LEFT_BRACKET)
;ojWiuxCund4 (SEMICOLON-oj-Wi-ux-Cund-FOUR)
VuodecDis5op< (Vu-od-ec-Dis-FIVE-op-LESS_THAN)

To generate 1 password with 64 characters, type:

$ apg -m 64 -n 1
AtnokFuvWapIllAwkugheidijviFasOrIzyictUnveyzMobavArdOkWockyiesBu

By adding the parameter -a 0 you can use the first algorithm:

$ apg -a 0 -m 64 -n 1
riWrovDisickuAbpoovhyijyatyicdoupIalneDrojeuvwochanVafJeucgutoob

And the parameter -a 1 uses the second algorithm:

torrocus@knuth:~$ apg -a 1 -m 64 -n 1
zB;W&)dg(_1!{eZ@wBxkOO/x7<:DU5k]u3TW\aTgs.nK$rT\5"FKYBy(WKrpR-qA
Click here to see a apg parameter list.

$ apg -h

apg   Automated Password Generator
        Copyright (c) Adel I. Mirzazhanov

apg   [-a algorithm] [-r file]
      [-M mode] [-E char_string] [-n num_of_pass] [-m min_pass_len]
      [-x max_pass_len] [-c cl_seed] [-d] [-s] [-h] [-y] [-q]

-M mode         new style password modes
-E char_string  exclude characters from password generation process
-r file         apply dictionary check against file
-b filter_file  apply bloom filter check against filter_file
                (filter_file should be created with apgbfm(1) utility)
-p substr_len   paranoid modifier for bloom filter check
-a algorithm    choose algorithm
                 1 - random password generation according to
                     password modes
                 0 - pronounceable password generation
-n num_of_pass  generate num_of_pass passwords
-m min_pass_len minimum password length
-x max_pass_len maximum password length
-s              ask user for a random seed for password
                generation
-c cl_seed      use cl_seed as a random seed for password
-d              do NOT use any delimiters between generated passwords
-l              spell generated password
-t              print pronunciation for generated pronounceable password
-y              print crypted passwords
-q              quiet mode (do not print warnings)
-h              print this help screen
-v              print version information


This solution is a bit outdated but still available in packages.

diceware

Diceware creates memorizable passphrases from wordlists and various sources of randomness.

Click here to see how to install diceware.

Installing diceware:

sudo apt install diceware


Running diceware generates a password that consists of 6 words (default).

$ diceware
SlipsTrumpetSariWaxIdeaDare

Of course, the number of words in the password can be changed.

diceware -n 10
SlamsZealWhoseTineLoomAnagramMossBrimBleatIsotope

An interesting option is the possibility of rolling real dice. I used this option once. As humans, I think weโ€™re too lazy.

$ diceware -r realdice
Please roll 5 dice (or a single dice 5 times).
What number shows dice number 1?
...
What number shows dice number 5?
SoundLimaQuakeCaptainPrudeFrost

Such passwords are probably easier to remember. Are these passwords more secure? This is a matter for discussion.

Click here to see a diceware parameter list.

The diceware parameter list is as follows:

$ diceware -h
usage: diceware [-h] [-n NUM] [-c | --no-caps] [-s NUM] [-d DELIMITER]
                [-r SOURCE] [-w NAME] [--dice-sides N] [-v] [--version]
                [INFILE]

Create a passphrase

positional arguments:
  INFILE                Input wordlist. `-' will read from stdin.

optional arguments:
  -h, --help            show this help message and exit
  -n NUM, --num NUM     number of words to concatenate. Default: 6
  -c, --caps            Capitalize words. This is the default.
  --no-caps             Turn off capitalization.
  -s NUM, --specials NUM
                        Insert NUM special chars into generated word.
  -d DELIMITER, --delimiter DELIMITER
                        Separate words by DELIMITER. Empty string by default.
  -r SOURCE, --randomsource SOURCE
                        Get randomness from this source. Possible values:
                        `realdice', `system'. Default: system
  -w NAME, --wordlist NAME
                        Use words from this wordlist. Possible values: `en',
                        `en_eff', `en_orig', `en_securedrop'. Wordlists are
                        stored in the folder displayed below. Default:
                        en_securedrop
  -v, --verbose         Be verbose. Use several times for increased verbosity.
  --version             output version information and exit.

Arguments related to `realdice' randomsource:
  --dice-sides N        Number of sides of dice. Default: 6

Wordlists are stored in /usr/lib/python2.7/dist-packages/diceware/wordlists


Is it worth using password generators?

Yes of course. Mainly because each of us has our own behavioral profile. Itโ€™s easier to crack a person than a strong password.