No doubt, some people use password generators- not many, but some. Unfortunately, this means relying on 3rd party utilities, where the source code may not always be available. Personally, I would rather be in full control of the entire generation stack. I know how to make sure plenty of entropy is available in the generation, and I know which sources of entropy to draw on to maximize the entropy estimate. As such, I don't use tools like pwgen(1), apg(1), or anything else. I rely strictly on /dev/urandom, grep(1), and other tools guaranteed to be on every BSD and GNU/Linux operating system.
As such, the script below has been successfully tested in various shells on Debian GNU/Linux, PC-BSD, FreeBSD, OpenBSD, NetBSD, and SmartOS. If you encounter a shell or operating system this script does not work in, please let me know. Thanks to all those who helped me test it and offered suggestions for improvement.
So, with that said, here they are:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | # No copyright. Released under the public domain. # You really should have shuf(1) or shuffle(1) installed. Crazy fast. shuff(){ if [ $(command -v shuf) ]; then shuf -n "$1" elif [ $(command -v shuffle) ]; then shuffle -f /dev/stdin -p "$1" else awk 'BEGIN{ "od -tu4 -N4 -A n /dev/urandom" | getline srand(0+$0) } {print rand()"\t"$0}' | sort -n | cut -f 2 | head -n "$1" fi } gen_monkey_pass(){ I=0 [ $(printf "$1" | grep -E '[0-9]+') ] && NUM="$1" || NUM="1" until [ "$I" -eq "$NUM" ]; do I=$((I+1)) LC_CTYPE=C strings /dev/urandom | \ grep -o '[a-hjkmnp-z2-9-]' | head -n 16 | paste -s -d \\0 /dev/stdin done | column } gen_xkcd_pass(){ I=0 [ $(printf "$1" | grep -E '[0-9]+') ] && NUM="$1" || NUM="1" [ $(uname) = "SunOS" ] && FILE="/usr/dict/words" || FILE="/usr/share/dict/words" DICT=$(LC_CTYPE=C grep -E '^[a-zA-Z]{3,6}$' "$FILE") until [ "$I" -eq "$NUM" ]; do I=$((I+1)) WORDS=$(printf "$DICT" | shuff 6 | paste -s -d ' ' /dev/stdin) XKCD=$(printf "$WORDS" | sed 's/ //g') printf "$XKCD ($WORDS)" | awk '{x=$1;$1="";printf "%-36s %s\n", x, $0}' done | column } |
Nothing fancy about them. The first function, "shuff" is really just a helper function for systems that might not have shuf(1) or shuffle(1) installed. It's used only in the "gen_xkcd_pass" function. The next function, "gen_monkey_pass" acts like monkeys banging on the typewriter. It reads /dev/urandom directly, reading the printable characters that come out of it, counting them to 16, and putting them in an orderly set of columns for output as seen below. The input is a total set of 32-characters, giving each character exactly 5-bits of entropy. So, at 16 characters, each password comes with exactly 80-bits of entropy. The character set was chosen to stay entirely lowercase plus digits, and remain unambiguous, so it's clear, and easy to type, even though it may still be hard to remember. The function can take a numerical argument, for generating exactly that many passwords:
$ gen_monkey_pass 24 awdq2zwwfcdgzqpm t54zqxus77zsu6j6 -2h6dkp93bjdb496 thm9m9nusqxuewny qmsv2vqw-4-q4b4d ttbhpnh4n7nue5g8 ytt6asky765avkpr grwhsfmyz872zwk3 mzq-5ytdv8zawhy6 zb46qgnt62k74xwf uydrsh2axaz5-ymx 6knh32qj4yk885ea vky55q2ubgaucdnh 5dhk9t97pfja9phj rhn2qg734p83wnxs -q2hb833c-54z-9j t33shcc55e3kqcd6 q6fwn3396h4ygvq4 232hr73rkymerpyg u2pq-3ytcpc79nb9 7hqqwqujz4mxa-en jj9vdj3jtpjhwcp6 mqc97ktz-78tb2bp q7-6jug86kqhjfxn
The last function, "gen_xkcd_pass" comes from the "correct horse battery staple" comic from XKCD. On every Unix system, there is a dictionary file installed at /usr/share/dict/words or /usr/dict/words. On Debian GNU/Linux, it contains 99,171 words (OpenBSD contains 234,979!). However, many of them have the apostrophe as a valid character. Taking out any punctuation and digits, we are left with just lowercase and uppercase characters for our words. Further, the total word space is limited to at least 3 characters in length and at most 6 characters in length. This leaves us with 19,198 words, or about 14.229-bits of entropy per word. This means generating at least 6 words to achieve an 80-bit entropy minimum. For clarity, the password is space-separated to the right in parens, to make it more clear what exactly the password is, as shown below. Even if all 6 words have 6 characters (the password is 36 characters in total), the formatted line will never be longer than 80 characters in width, making it fit perfectly in an 80x24 terminal. It also takes a numerical argument, for generating exactly that many passwords:
$ gen_xkcd_pass 8 flyersepticspantearruinedwoo (flyer septic span tear ruined woo) boasgiltCurrywaivegalsAndean (boas gilt Curry waive gals Andean) selectpugjoggedlargeArabicbrood (select pug jogged large Arabic brood) titshubbubAswancartharmedtaxi (tits hubbub Aswan cart harmed taxi) Reaganmodestslowleessamefoster (Reagan modest slow lees same foster) tussleFresnoJensentheirsNohhollow (tussle Fresno Jensen theirs Noh hollow) Laredoriffplunkbarredhikersrearm (Laredo riff plunk barred hikers rearm) demostiffnukesvarlethakegilt (demo stiff nukes varlet hake gilt)
Of course, as you can see, some fairly obscure words pop out as a result, such as "filt" and "rearm". But then, you could think of it as expanding your vocabulary. If you install the "american-insane" dictionary, then you can get about 650,722 words in your total set, bringing your per-word entropy north of 16-bits. This would allow you to cut your number of generated words down to 5 instead of 6, to keep the 80-bits entropy minimum. But then, you also see far more obscure words than with the standard dictionary, and it will take a touch longer to randomize the file.
This script should be platform agnostic. If not, let me know what isn't exactly working in your shell or operating system, and why, and I'll try to address it.
{ 5 } Comments