NOTE: I am not a crypto expert. This generator DOES create decent passwords that pull from psuedo random sources, are between 10 and 15 characters long, and include alpha-numeric and symbols sets, however with my fast and loose scripting it is totally possible that bad/guessable passwords could be generated. It is therefore up to the user to vet the passwords they select and verify they match whatever compliance standard is required. I will certainly be doing the same.
While my wife watched football tonight I completely reworked my psuedo random password generator script. The evolution of this has been messy, going from a crazy one-liner Bash shell script that pulled alpha-numeric chars from the /dev/urandom file to automating said one-liner using crontab to write to a file read by PHP on my website. As I said...messy, so I went back to the drawing board looking for a cleaner solution as well as an easy way to intigrate symbols. Here is my result:
I read here that PHP works well
with openssl as opposed to trying to read from urandom so I starting testing and found I could get much cleaner results with far fewer keystrokes. My
latest script uses openssl to generate a 2000 char long randomized string, then tr to pull out all the numbers. Once I have a string of numbers (length
doesn't really matter), I use fold to bind the individual chars into pairs, like 13 43 87 ... etc, creating a sort of memory stack if you will. Next, since
this string is still being read in memory, I pipe it through egrep and pop the first pair I hit between 9 and 15. This number becomes my password length.
While limited to 10-14, I feel those lengths as well as their abitrary creation beats a hard coded value or an excedingly complex logic sequence.
Now that I have my password length, my final step to simply run openssl rand using that length. Alpha-numeric and symbol sets are all included, though there is nothing programatically forcing them to all be used for each password. I noticed many of the passwords I generate this way commonly end with an '=' sigh, however this is irregular and does not appear to be a glitch in my logic. Cutting the last char would take too much effort, so I've simply left it alone.
I know it's been a while since I have posted anything, but I have been really busy learning about the current IT job
market where I live thanks to a recent layoff. One would think I would have plenty of time to blog while looking for
employment, but it's really turned into a 24/7 thing...oh well, these things happen.
Not blogging doesn't mean I'm not learning though, which brings me to the topic of the day: Passwords!
In my header I state these are psudo-random passwords. This is because while /dev/urandom appears to generate some crazy random strings, they still rely on being properly seeded. For account passwords that should be changed relatively frequently (every 45, 60, 90 days), this is usually fine, but I've read there can be cryptographic challanges to using /dev/urandom for long lived passwords like SSH or GPG keys. (see http://www.2uo.de/myths-about-urandom/ or talk with a cryptography expert...which is not me...for more details)
Anyway, this is meant to be quick and dirty, not a tutorial about cryptography. Basically, /dev/urandom is a mechanism Linux uses to generate random strings. What I did was create a script I could alias in my .bashrc file that will generate a decently randomized password between 10 and 14 mixed characters long. Here's how:
So what exactly does it do? Well, lets break it down. I'm gonna actually start in the middle of the liner at the $ sign:
This call to /dev/urandom generates a random list of 100 two-digit numbers that looks like this:
From this large list the script greps out in order of appearance the numbers 10-14 (...| egrep "10|11|12|13|14" | ...). These are potential lengths of our final password:
From what is grepped out, the top number (head -1) if selected.
Since the orginal list of 100 two-digit numbers is randomly generated, one cannot predict which number will be popped off the top. In this case the length will be 14 characters long, yet other times it will likely be something different, effectively randomizing the length of our passwords rather than hard coding value lengths. Now that we have our length set, what about the rest? Lets take a look. To make it easy I'm going to substitute $pwlength for password length:
As you can see, all that is really new here is the tr designations. Since I want my password of $pwlength to contain mixed case and numbers to make it hard, I simply add those items in and let the computer create a new list of random passwords from which I can choose:
Once I plug all this into an alias, all that I need to do is run 'pwrand' and I have a solid password generated somewhere between 10 and 14 characters.