Create random passwords with OpenSSL/LibreSSL

Random Passwords Generation

As system administrators, we know we sometimes have to create passwords. It might be for ourselves, or when creating them for colleagues and customers. For an easy and quick way of generating random passwords, we can use the OpenSSL utility, part of OpenSSL and LibreSSL. This toolkit is often already installed on systems running Linux.

OpenSSL has a randomize function. If we feed the output through the base64 function, the scrambled set of characters can be made more human-friendly. This function is also used for e-mail, to store binary data safely. Besides ending up with a nice set of readable characters, the password is fairly strong as well.

openssl rand -base64 48

The output will be something like:

Screenshot of random password

Random password generated with OpenSSL

This way of password generation is very useful for scripts, or when you need some inspiration when handing out a temporary password. If you feel you want to use a shorter password, simply reduce the number at the end. This might be useful if people have to type it in manually.

Another option is extending the length and using it for a secret key (e.g. for VPN and IPSEC).

$ openssl rand -base64 1024
TCNfOEN1AfklWa2gJQW4j5wHcnAeTvkWW1Rh9LeumX5IXo9pvI/18BUfSXToEaWy
1GoRpa1yePEjewwnI4nmyHqQJB6yQ5mpB07k+FUIodzwkLbSb1/lDRoOAHlxOeH2
tNhoWnaKv+HfppxDvN92ZDvfM1QW6lanu3K84h8VpsGUYUhZYcOvdlqQ82ZyIg9V
bz5HBBVVZwlPCE6QhFVcqfQ0WWOS8IE6ysf3XhXYlHKXxkRQLFGYthq2fi0drDPZ
9i0EWktSDibl1rVsW/g7//VeQn+boQCig53hGuOZuJU0toUrvqoWFctnReUDh+y+
7+T08KyVS3p+m+RrcgShpFfzbi6/aJaySfDJDd5Cgk5u8ZQ6oeCH3t1qRA8I2z1Y
fQrxsznba1Dq+irjG+2E8LohjaUimTCBoRWgjJw7cXKzbZYhnu6CJc37yE47aLCM
9DCoA8tIfuHGs7bxfOrYvVWQmNUptqoL+ntk/r7924US6bb0tHNYNdkXT02fhyQc
PykclFqAp+91h53kgLIW1LdWxbc4i39ile+7YfTvOJKl3zKEaXiMjaVqJme575As
ENuFAXSkzg/tgyJSgmBGWE6ornaBvMBufPb7TwgEWD0j4KeglgpNFR9jZtmzCkdq
zHx0XHq/1owIbtUU1i/72k8lZ0T9xUd1QQMc0ExP1XYPpqNMWKutO3qNQ/2Mvv35
u8DGE8lhu+P7e+d8puFUh5ISnDb4FVSudH1LzjSNeYmbkLTxvLRHdntuBl+1fAZj
qxv7STWKVzVA7pyw4St/Fef3Yvs8NZEW01sbuQ3P1+7dhz4Ut55xtJtR/z9nb7Et
wdU0WfyU3IJuC1h2X8iVcckJYb3d83dlswpPnAXL5yUpuX3F44WT5cn12ufVRwF5
52efWsENVypB9wDYnX1ukHfYytdcH6Pj6P9pUwIUh1ZxU9LADwsoXDMLcq/Bz6Oh
DK7uIsXTmc3remkKdv5QDAPpLaC51E1ZW7zAZTJEkVi+7INmwOZ0c0/bBeMCHcDB
M3VuxGTeJ3oZbb43KrHf7NVHAU3FrK/N4Fa8NGYWtmrAEXTwc4ijk8v5CcefWmJy
J1WXjYyOEfDNkfpAf0ZoQTtt7eBXpjPq+2zJZ2olbdmXtIY2XOXEBW57/QNRbHNW
b5VrTnCZWZX683rJbGJkVMPRDDgxghLyXVjTUIQc1xMBW7LUdQqQTy94+toYviLs
K9jQRgKYjTb5tGQCtQ6iGTIpeeX0t2fT6R634PoY/308rLiqREDcZ5ASs23fwkFs
19ozVx4FZoNnI6VIi8xFkoSNU4VgizJvKWFJd2jDVH98JK28fcNbtverIzI+x/Ne
NfoptIWVLfxeryveo13UPg==

Now that is a nice randomized key, with enough entropy. It includes capitals, numbers and “other” characters. Sure, the set of the latter is limited, but it will definitely take huge amounts of processing power to crack this.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


2 comments

  • Kamil BoratyńskiKamil Boratyński

    Nice to make an alias for it and copying. Examples:
    “`
    alias genrandpass=”openssl rand -base64″
    “`
    For MacOSX based os, I think it is nice feature to autocopy this passwords using `pbcopy`. For Linux — `xclip`.

    Nice tip for Monday!

    Reply
  • Eric LightEric Light

    Hey great tip, Michael! I didn’t realise OpenSSL had a rand function. And also an excellent tip from Kamil :)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *