Passphrase Generator for Machine and Sysadmin Use

People often ask about passphrase generators. Basically, how to generate a strong passphrase. Many web sites also offer passphrase generation. However, the problem with online sites is that you can never fully trust them, or trust the SSL/TLS-protected communications used to authenticate the connection to the online generator. In particular, there could be a man-in-the-middle attack being performed on the connection. Such attacks are surprisingly common, and routinely performed by intelligence agencies using fakes certificates. Some malware and adware - even ones pre-installed on Windows laptops in the case of the Lenovo Superfish scandal - also spy on encrypted web traffic. Furthermore, web browsers cache pages, and you don't really want your passphrase to remain in a cache file for weeks, do you?

The Random Passphrase/Password Generator

Luckily, there is an easy way to generate strong passphrases for keys, such as SSH keys. This can be done with basic Unix commands. The generated passphrases are too complex to remember, but are very useful for applications where passphrases are needed for protecting machine keys and for SSH key management. The same commands can be used to generate passwords.

The basic idea is to read from /dev/urandom, a device that produces high-quality cryptographically secure pseudo-random data. The device works by collecting entropy for interrupt timings, device latencies, keypresses, packet timings, and on some systems, hardware randomness sources. It then uses strong cryptographic hash functions to produce a continuous random stream from this data. On many systems, randomness is also carried on across reboots using random seed files. The output is then formatted to something user-readable.

Actual Unix/Linux Shell Commands

Any of the following commands can be used, depending on what tools are installed in the particular operating system:

dd if=/dev/urandom bs=16 count=1 2>/dev/null | base64 | sed 's/=//g'

This generates a passphrase with 128 bits of entropy. The output looks like this:


An alternative to using the base64 command (which may not be available) is to use something like sha256sum (or md5sum, sha1sum, etc) to generate a passphrase that is hex. Something like the following would work:

dd if=/dev/urandom bs=32 count=1 2>/dev/null | sha256sum -b | sed 's/ .*//'

This generates a passphrase with 256 bits of entropy. The output looks like this:


Do These Look Too Complicated?

If you are looking for a password or passphrase that you can remember, you can take characters from the beginning of the output. Generally, at least 15 characters would be recommended to prevent password brute-forcing attacks. In 2012, any eight-character Windows password could be broken by hobbyists in a few hours. Even most 16-character passwords can be easily cracked. For hexadecimal passwords, you should multiply password lengths by 1.5.

Don't Forget to Manage Your SSH Keys

If you use automatic passphrase generation for SSH keys, you are probably going to have quite a few of them. Please remember to use SSH key management tools, such as Universal SSH Key Manager® to protect your systems. If you are under any compliance requirements, such as Sarbanes-Oxley, HIPAA, or PCI DSS, you may also be legally or contractually required to manage them as part of basic access provisioning and termination processes.