Generate Secure Passwords With Pwgen

Coming up with good passwords is never easy. One of my favorite tools for creating secure passwords is Password Generator, also known as pwgen, a utility that generates random (but pronounceable) passwords.

Coming up with good passwords is never easy. Enter Pwgen, a utility that generates random (but pronounceable) passwords.

Password Generator is a utility written by Ted Ts’o, whom you may remember from such open source projects as the Linux kernel’s Ext4 filesystem. Long before Ext4 was on the scene though, T’so hacked together this GPL’ed password generator that creates strong passwords — with a helpful twist. The passwords created by pwgen are also meant to be easily memorized. When you use pwgen in its default mode, it creates a password that should be “pronounceable.” That doesn’t mean it will be a word, but it will have strings of characters you can wrap your tongue around to make it easier to memorize. Let’s look at a few examples from its default output:

Eisahpe6 ZiaGae4A ^8Ts'o9^ chahWah7 AciPoos7 Oofeeph1 ^13pwgen14^ ^15pwgen16^

None of the passwords are likely to be guessed, they’re not easily subject to dictionary attacks, and they should be suitable for most use cases. Each has at least one uppercase character and one number. But they are easier to memorize.

The default should be fine for most uses, but if you want a longer password, just use pwgen NN, where NN is the length of the password you’d like to generate. For example, to get a 12-character password, use pwgen 12, and the utility will spit out a set of 120 possible passwords from which to choose (six columns, 20 rows). This way you can find one that looks easier to grapple with. Of course, the idea is that the password should be easy to memorize, so when you start getting past 10 characters it starts getting fairly difficult.

What if you must be able to recall a password at a later date? The normal mode for pwgen is to create a set of random passwords that can’t be re-created. But if you have a file that will not change you can use it to generate a password and re-create it again. What you need is a file, a seed phrase and pwgen with the -H (hash) option:

pwgen -1 -H filename#seedphrasehere

Note that if you don’t specify the -1, pwgen will go ahead and generate a full 120 passwords. This may work in your favor if you can remember which of the 120 you chose. Again — it’s very important to pick a file that will not change because pwgen is using the SHA1 hash of the file as part of the generation of the new password. I’d recommend using a file you generate explicitly for the purpose, and then saving the file somewhere safe. As the pwgen documentation warns, it’s important to remember that this kind of password may not be as random as others. Also, if an attacker gains access to your computer, he may be able to see the command with seed and filename in your history.

Note that pwgen is usable in scripts, so you can tap it for automated systems where you create user accounts and need random secure passwords. The output is slightly different when not sending to a TTY; be sure to check the man page for the options that you should use.

You should be able to find pwgen on most Linux distributions, and I believe it’s also packaged for FreeBSD.

It’s a simple, but very useful, utility. I’ve been using pwgen for years and use it to create memorable passwords, as well as ridiculously long passwords for sensitive accounts that I can save in a password manager. If you’re not already using it, I strongly recommend checking it out!

Joe ‘Zonker’ Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at jzb@zonker.net and follow him on Twitter.

Follow ServerWatch on Twitter