Cloud

Passphrase Generator for Machine and Sysadmin Use

People often ask about passphrase generators. Basically, how to generate a strong passphrase. Many web sites also offer passphrase generation. However, the problem with online sites is that you can never fully trust them, unless the way they generate passwords can be fully audited. Surprisingly many of them even send the generated passwords in plain text HTTP over the Internet for anyone to see!

Even when the communication is HTTPS-protected, it is impossible to know how the passwords are generated on the server side and whether they are stored. There could be a man-in-the-middle attack being performed on the connection. Such attacks are surprisingly common, and routinely performed by intelligence agencies using fakes certificates. Some malware and adware - even ones pre-installed on Windows laptops in the case of the Lenovo Superfish scandal - also spy on encrypted web traffic. Furthermore, web browsers cache pages, and you don't really want your passphrase to remain in a cache file for weeks, do you?

Our Browser-Based Online Password Generator

We offer an online random password generator that is entirely browser-based. Unlike other password generators, there is no server component that needs to be trusted. The password does not end up in caches. That is the only online password/passphrase generator we can recommend.

The Random Passphrase/Password Generator

It is also easy to generate random passwords and passphrase on the command line. This can be done with basic Unix commands. The generated passphrases are too complex to remember, but are very useful for applications where passphrases are needed for protecting machine keys and for SSH key management. The same commands can be used to generate passwords.

The basic idea is to read from /dev/urandom, a device that produces high-quality cryptographically secure pseudo-random data. The device works by collecting entropy for interrupt timings, device latencies, keypresses, packet timings, and on some systems, hardware randomness sources. It then uses strong cryptographic hash functions to produce a continuous random stream from this data. On many systems, randomness is also carried on across reboots using random seed files. The output is then formatted to something user-readable.

Actual Unix/Linux Shell Commands

Any of the following commands can be used, depending on what tools are installed in the particular operating system:

dd if=/dev/urandom bs=16 count=1 2>/dev/null | base64 | sed 's/=//g'

This generates a passphrase with 128 bits of entropy. The output looks like this:

q4fZq185VKt7LgdNSP5W7A

An alternative to using the base64 command (which may not be available) is to use something like sha256sum (or md5sum, sha1sum, etc) to generate a passphrase that is hex. Something like the following would work:

dd if=/dev/urandom bs=32 count=1 2>/dev/null | sha256sum -b | sed 's/ .*//'

This generates a passphrase with 256 bits of entropy. The output looks like this:

3ed04c7f887dc04fe11ad1f58f0473c88edf966502d66aff43a3583569c945de

Do These Look Too Complicated?

If you are looking for a password or passphrase that you can remember, you can take characters from the beginning of the output. Generally, at least 15 characters would be recommended to prevent password brute-forcing attacks. In 2012, any eight-character Windows password could be broken by hobbyists in a few hours. Even most 16-character passwords can be easily cracked. For hexadecimal passwords, you should multiply password lengths by 1.5.

Don't Forget to Manage Your SSH Keys

If you use automatic passphrase generation for SSH keys, you are probably going to have quite a few of them. Please remember to use SSH key management tools, such as Universal SSH Key Manager® to protect your systems. If you are under any compliance requirements, such as Sarbanes-Oxley, HIPAA, or PCI DSS, you may also be legally or contractually required to manage them as part of basic access provisioning and termination processes.