19.08.2010 12:22
Creating random passwords
Kategorie: Linux
Creating random passwords
Setting up new users is a common task on unix systems and usually requires the creation of an initial password. The password should be random in order not to compromise security. Many users never change their passwords. Especially in situations where they only access the Linux box via POP or IMAP. In those situations having a password that appears in a dictionary is asking for trouble. Of course you can type random characters on the keyboard yourself but doing mindless tasks is somehow against the spirit of IT.
If you don’t have a random password generator at hand you might want to download one. When you type the search term random password generator into goolge you will get many results. But as is always the case with internet searches not all results are useful and it will take you some time to find a tool that you decide to download and install.
In this article I am going to show you that you already have everything you need on your Linux console.
Extracting random bits
The first step in generating random passwords is extracting some random bits from somewhere. On most Linux systems you have two special devices /dev/random and /dev/urandom which you can use to extract random bits from an entropy pool. The devices maintain an entropy pool which is fed by network and user interface data. While /dev/urandom blocks on read when not enough random data is available /dev/random will continue to output even if they entropy pool dries up. This is why we will us /dev/random below. In order to read the data from the entropy pool we use the command dd:
dd if=/dev/random count=1 2>/dev/null
dd by default reads data in blocks of 512 bytes as long as possible. Therefore we limit the the number of blocks to one. We also don't want any of the statistical information which is why we send STDERR to /dev/null.
Convert to alphanumeric
The data we have obtained are bytes with values from 0-255. What we want for passwords however are alphanumeric characters. This basically means base64. We are going to use base 64 here and simply throw away away the /,+ and = signs with sed. This is motivated by the fact that the base64 command is available on many systems as part of coreutils. The command the looks as:
dd if=/dev/random count=1 2>/dev/null | base64 | sed -e s'/[+=\/]//g'
Limiting password size
Of course the passwords we obtain are a bit to long so we use cut to extract the first 8 characters. We then have:
dd if=/dev/random count=1 2>/dev/null | base64 | sed -e s'/[+=\/]//g' | cut -b 1-8
Multiple passwords
The command as given below will return 3 password because of the date size given to base64. If you want to you can shorten this with head and thus optaining
dd if=/dev/random count=1 2>/dev/null | base64 | sed -e s'/[+=\/]//g' | cut -b 1-8 | head -n 1
Making it into a command
In order to make this into a usable command I have defined something like the above command as an alias in my environment. For bash this can be done with:
alias randompw="dd if=/dev/random count=1 2>/dev/null | base64 | sed -e s'/[+=\/]//g' | cut -b 1-8 | head -n 1"