Introduction

Its extremely important for any system administrator to maintain strong passwords for their servers and databases so that they do not get exposed to hackers in case of brute force attacks or other password infiltration attempts. In this article we’ll share five different command line tools using which you can generate potent and strong passwords.

 

Method 1: Using OpenSSL

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL’s crypto library from the shell.  Some of it’s popular uses are listed below:

  • Creation and management of private keys, public keys and parameters
  • Public key cryptographic operations
  • Creation of X.509 certificates, CSRs and CRLs
  • Calculation of Message Digests
  • Encryption and Decryption with Ciphers
  • Random string generation

OpenSSL is generally installed by default on most Linux distributions. In case it’s missing you may install it using the command “yum install openssl”. OpenSSL is part of the base repository for RHEL/Centos operating systems. We will use the rand (Generate pseudo-random bytes) option with the openssl command to generate an alphanumeric string which can be used as a password.

[root@linuxnix ~]# openssl rand -base64 15
1Caxj6P7GfJzJwDeJP2G
[root@linuxnix ~]#

Base64 is an encoding format used in applications and different systems which can be transferred and used without problem.  We can generate Base64 compatible random numbers with openssl rand.  Here we set the character (byte) count 15 which is the last parameter.

Method 2: Using mkpasswd
The mkpasswd utility is installed on the system as part of the expect package on RHEL based systems and is not available as a separate binary. To verify this we can run “yum whatprovides /usr/bin/mkpasswd” as shown below:

[root@linuxnix ~]# yum whatprovides /usr/bin/mkpasswd
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: centos.uhost.hk
* epel: kartolo.sby.datautama.net.id
* extras: centos.uhost.hk
* updates: mirrors.shu.edu.cn
expect-5.44.1.15-5.el6_4.x86_64 : A program-script interaction and testing utility
Repo : base
Matched from:
Filename : /usr/bin/mkpasswd

expect-5.44.1.15-5.el6_4.x86_64 : A program-script interaction and testing utility
Repo : installed
Matched from:
Other : Provides-match: /usr/bin/mkpasswd

We can use different flags with the mkpasswd command to generate a password of appropriate complexity as per our requirement. The below command generates a password of fifteen characters (-l) containing three digits (-d), five upper case characters (-C)and two special characters (-s).

[root@linuxnix ~]# mkpasswd -l 15 -d 3 -C 5 -s 2
(RH%F12TBe5hujo
[root@linuxnix ~]#

Method 3: Using urandom
The /dev/urandom device file is a source of printing random characters to the screen. We use the strings command to display printable characters from the /dev/urandom device file to the screen. This list of characters could be very long and possibly infinite. So in order to obtain a more usable output we access the /dev/urandom file in the following manner:

[root@linuxnix ~]# strings /dev/urandom |tr -dc A-Za-z0-9 | head -c15;echo
y8secFeWCTqANZJ
[root@linuxnix ~]#

The tr command filters down the output to characters containing digits, upper and lower case characters and using the head command we print the first fifteen characters as shown in the example above.

Method 4: Using md5sum
The purpose of the md5sum command is to print the md5sum checksum of a file using which the integrity of the file can be validated. Since the md5sum checksum is a random string of characters we could use the resultant string as a password. By piping the output of the date command to the md5sum command we could generate a different random string of characters every time we use this combination. This is becuase since the output of the data command will always be different therefore the resultant md5sum will also always be different. Here is an example.

[root@linuxnix ~]# date | md5sum
35081faf49141515ea74096e245e4419 -
[root@linuxnix ~]# date | md5sum
517e7bc3c243a127d6d2f035c8d14d29 -
[root@linuxnix ~]#

Notice that the md5sum is different in both cases.

Method 5: Using gpg
The gpg command line utility is actually a soft link to gpg2.

[root@linuxnix ~]# ls -l /usr/bin/gpg
lrwxrwxrwx. 1 root root 4 Mar 27 16:50 /usr/bin/gpg -> gpg2
[root@linuxnix ~]#

gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG).  It is a tool to provide digital encryption and signing services using the OpenPGP standard Given below is an example of how we could use the gpg tool to generate a random string of characters which could be used as a password.

[root@linuxnix ~]# gpg --gen-random --armor 1 15
JIRPsD+sbE0QGyQhOXHX
[root@linuxnix ~]#

In the above example, the –gen-random option implies the generation of a sequence of random bytes of characters of quality 1 and length of characters as 15. The –armor ensures that the output is base64 encoded.

Conclusion

In this article we explained with examples five command line utilities which you could make use of to generate strong passwords. We hope that you’ve found the article to be useful and we look forward towards your suggestions and feedback.

The following two tabs change content below.

Sahil Suri

He started his career in IT in 2011 as a system administrator. He has since worked with HP-UX, Solaris and Linux operating systems along with exposure to high availability and virtualization solutions. He has a keen interest in shell, Python and Perl scripting and is learning the ropes on AWS cloud, DevOps tools, and methodologies. He enjoys sharing the knowledge he's gained over the years with the rest of the community.