FROM: UNIX COMMAND LINE WORKSHOP
SKILL LEVEL: FIT
Generating passwords in the GNU/Linux CLI
apg, the Automatic Password Generator
apg is a respected CLI password generator for UNIX systems, favoured in that it generates provably strong passwords with the advantage of providing the user with phonemes to assist memory. It uses /dev/random as the initial random seed. using
The point of introducing phonemes (here, the FIPS-181 NIST Implementation) is that less memorable
passwords of the same or even longer length are (counter-intuitively) often /more/ vulnerable than shorter, more memorable strong passwords.
Why is this?
-
They’re readily forgotten and so requested back over the wire
-
People tend to write them down on computers and objects
-
Others tend to use password-managers that (unlike keepass) are often very dubious
-
Hard to remember passwords are often rotated/changed less regularly, because of users are reluctant to go through the challenge of remembering a new one over and over.
Basic apg useage
Creating memorable, strong (for their length) and web-safe alphanumeric passwords is easy with apg.
julian@zeppelin:~$ apg
Please enter some random data (only first 16 are significant)
(eg. your old password):>
VagjanVeit0 (Vag-jan-Veit-ZERO)
CymyudJab3 (Cym-yud-Jab-THREE)
doshawAft7 (dosh-aw-Aft-SEVEN)
rew8griOg7 (rew-EIGHT-gri-Og-SEVEN)
EvNagsebJor1 (Ev-Nags-eb-Jor-ONE)
UlCizIcpeps5 (Ul-Ciz-Ic-peps-FIVE)
apg can also be used to generate non web-safe passwords, the kind that no human
can readily remember:
julian@zeppelin:~$ apg -s -a 1 -m 63 -n 6
Please enter some random data (only first 16 are significant)
(eg. your old password):>
MB|YAx)hC#j.5v#%FZQtYQncl<&%`Dw\RGfeChJ9y*Wy3'b`LGuQ`mr*lojjNnB
H%}P)csL)pg``Ezu6Me-57);9$m4+8Vc,j2fz~`Z8-0-15=no."MCI]1r<~Bj.E
e7\R~T:L-rTI*(q"kme]'OQqAC]caGcH#lx(&9{.\f(K)!O?8KO0yhrfFnc_zxp
@8Z|{tg(bKe`*FLO6]*0.c(G+dI8(S2[&ExPqn<lGf}[|zNHoW5SM#~'YZH-&\,
d\#zRe?77$KMv;^(Gl>JD*",T\p(Ho'|hUl>$}:'a)4(4.$njY@vMX_5v:}yf1`
P5,UKPCwLD#AmKau*!e,3!2m1~LD+cR9j4Y\]Q9.AHW<vznnZbw(J4Mj6gk|#,d
Alternative methods
An alternative means of generating similar passwords to *apg’*s default mode, but without the advantage of memory aids, might be:
julian@zeppelin:~$ < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-12};echo;
J9wkdNsa3lyJ
You could also just:
julian@zeppelin:~$ date | md5sum
f3fa14f183604d9d9b318d9f7178e29e -
Or longer:
julian@zeppelin:~$ date | sha256sum
a8969c7fce131787cb4dd7ea773b02422916c739517208a75f42d30de455620a -
NOTE: these two methods are insecure on their own. Use with a bit of salt or just use 16+ chars of it, move chunks around, etc.
Updated Feb 13, 2016