Generating Secure Passwords on Linux: PWGen, Custom Scripts, and Other Tools

We’ve all been there: you need a strong, unique password. It needs to be a specific length, include a mix of uppercase and lowercase letters, numbers, and maybe even special characters.

And, crucially, it needs to be resistant to hacking attempts. Password generators are a popular solution for this common problem. This article will guide you through creating robust passwords quickly and easily on Linux, covering both readily available tools and a custom script solution.

1. Using the PWGen Password Generator on Linux

Let’s start with a convenient tool called pwgen. pwgen (short for “password generator”) is a command-line utility designed to create large numbers of secure, pronounceable, or truly random passwords. It’s a great option for generating secure passwords for various Linux user accounts.

Installing PWGen

To install pwgen on Debian-based distributions like Ubuntu, open your terminal and enter the following command:

sudo apt install pwgen

Read: How to reset a user password in Ubuntu

Generating Passwords with PWGen

Once installed, you can immediately generate a batch of passwords by simply running the pwgen command without any arguments:

pwgen

pwgen offers various options to customize password generation. You can specify the password length, include or exclude specific character types, and control the number of passwords generated. For a full list of these options to create random Linux passwords, see its man page that shows how to generate secure Linux passwords.

2. Creating a Custom Password Generator Script

For more tailored password generation, you can create a custom shell script. This script will allow you to define a function that generates secure passwords with a specified length, directly within your shell environment. This is useful for quickly creating secure passwords for new user accounts on Linux, for instance.

Read: How to recover deleted files on linux , an Exhaustive list of tools

Creating Bash Functions for Password Generation

The Linux command line is powered by a shell, with Bash (Bourne Again SHell) being the default on many distributions, including Ubuntu. Bash is highly configurable, allowing you to extend its functionality with custom functions. These functions, along with custom variables, can be stored in the .bashrc file located in your home directory. Let’s see how to do this.

Open your .bashrc file using a text editor like nano:

nano .bashrc

You can add your custom function at the end of this file.

The Password Generation Script

Add the following function to your .bashrc file to create a password generation command:

genpasswd() {
    local l=$1
    [ "$l" == "" ] && l=8
    tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

Let’s break down what this function does:

• Line 1: genpasswd() { defines the function. genpasswd is the name you’ll use to call the function in your shell. You can choose a different name if you prefer.
• Line 2: local l=$1 assigns the first argument passed to the function (the desired password length) to a local variable named l.
• Line 3: [ "$l" == "" ] && l=8 checks if no argument was provided. If the length is empty, it defaults to a password length of 8 characters.
• Line 4: This line is the core of the password generation:
  • tr -dc A-Za-z0-9_ < /dev/urandom: This part uses the tr (translate) command to filter characters.
    • -dc: The -d option deletes characters, and -c complements the set of characters. Combined, they *keep* only the specified characters.
    • A-Za-z0-9_: This specifies the allowed characters: uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and the underscore (_). You can modify this to include other special characters as needed.
    • < /dev/urandom: This reads a stream of random bytes from /dev/urandom, a special file that provides a source of pseudo-random data.
  • | head -c ${l}: The output of tr is piped (|) to the head command. head -c ${l} takes the first ${l} bytes (characters) from the filtered random stream, where ${l} is the desired password length.
  • | xargs: Finally, the output is piped to xargs, which simply prints the resulting password to the command line.

After saving the changes to your .bashrc file and either restarting your terminal or sourcing the file (source ~/.bashrc), you can use your new genpasswd function. For example, to generate a 12-character password, you would use:

genpasswd 12

Read: Secure Your Ubuntu 24.04 System: 30 Essential Steps for Enhanced Security

3. Exploring Other Linux Password Generators

While pwgen and custom scripts are excellent options, the Linux ecosystem offers a variety of other command-line password generators. Here are a few notable alternatives:

3.1. apg (Automated Password Generator)

apg is another powerful command-line tool that focuses on generating pronounceable passwords, making them easier to remember. It also offers options for generating completely random passwords. It’s another option for creating strong Linux passwords.

Installation (Debian/Ubuntu):

sudo apt install apg

Basic Usage:

apg

Like pwgen, apg provides numerous options for customization, which you can explore in its man page (man apg).

3.2. openssl

openssl is primarily known as a cryptography toolkit, but it also includes a handy random number generator that can be used for password generation. This provides a secure method for generating strong, random Linux passwords using a well-vetted cryptographic library.

Usage (example for a 16-character password):

openssl rand -base64 16

This command generates 16 random bytes and encodes them using Base64, resulting in a strong, random password. The -base64 option ensures the output consists of printable characters.

3.3. /dev/urandom (Directly)

As seen in the custom script, /dev/urandom is a special file that provides a stream of pseudo-random data. You can use it directly with tools like tr and head (as demonstrated in the custom script section) to create passwords. This method offers maximum flexibility but requires careful selection of character sets.

3.4. gpg (GNU Privacy Guard)

gpg, primarily used for encryption and signing, also has a built-in random number generator that’s suitable for password generation.

Usage (example for a 20-character password):

gpg --gen-random --armor 1 20

This command generates 20 random bytes of “quality level” 1 (good for most purposes) and outputs them in an ASCII-armored format (similar to Base64).

3.5 `mkpasswd`

mkpasswd command can be used to generate random passwords of varying lengths and complexity.

Installation (Debian/Ubuntu):

sudo apt install whois

To generate a random password with default settings (usually 10 characters long), you simply run:

mkpasswd

3.6 `RANDOM_PASS`

If you’re looking for a quick way to generate a random password, the environment variable $RANDOM can be of use. The variable generates an integer between 0 and 32767.

echo $RANDOM | tr -dc A-Za-z0-9_ | head -c 16 ; echo ''

This command takes advantage of bash’s ability to use environment variables to produce a Linux random password.

Conclusion

Extending the functionality of your Bash shell with custom functions and variables is straightforward. A practical application of this is creating a personalized password generator. Beyond custom scripts and pwgen, Linux offers a rich selection of tools like apg, openssl, gpg, `mkpasswd` and even direct use of /dev/urandom for creating strong, secure passwords. This Linux-based password generator is a valuable tool for both developers and everyday users, providing a quick and easy way to create strong, secure passwords on demand. This can help you to manage multiple Linux user accounts and their credentials securely. The best tool for you will depend on your specific needs and preferences; experiment with these options to find the one that fits best.