Memorable but secure passwords
otp
Readers of thrillers may remember that one time pads are used for coded messages intended to be used only once. The sender uses the top password or encryption, then discards it, and the receiver discards their copy after receiving a message. otp
[4] has no direct connection to actual one time pads, except that the name adds drama to security. Contrary to what the name seems to imply, there is no limit to how often you can use the passwords produced by otp
. Nor should this little script from the Debian repositories be confused with the similarly named Red Hat tool.
What otp
does offer is a number of simple controls for generating passwords. Its options consist of a format, followed by the number of characters in the generated password. The default is all uppercase passwords, but more options are easily added to modify results. For example, -c14
produces a password consisting only of letters that is 14 characters long. Similarly, users can opt for a password consisting of numbers (dCHARS
) or letter groups that are easy to pronounce (eCHARS
). For ease of use, -sCHARS
can also be used to specify the spacing of hyphens throughout the password. If no options are specified, the default is passwords of eight characters with a hyphen every four characters.
Also, otp
includes an option to specify the number of keys generated (-nNUMBER)
. In addition, it can also create an output file that can be used to verify incoming passwords (Figure 4).
![](/var/linux_magazin/storage/images/issues/2019/227/command-line-password-generators/figure-4/754114-1-eng-US/Figure-4_large.png)
Diceware
Diceware [5] gets its name from a method of generating results by rolling dice. The numbers on the dice are assembled as a number that is used to look up a word in a dictionary or word list that corresponds to that number. A number of words – five by default – are run together to produce the password. By default, each word begins with a capital letter unless the --no-caps
option is used. The number of words that comprise the password can be set with --num 'NUMBER'
, and special characters added with --specials 'NUMBER'
. A delimiter between words can be set with -d'CHARACTER'
. The Diceware application is unique in that its option --dice-side NUMBER
can be used so that results are not necessarily based on six-sided dice. As well, --randomsource SOURCE
can be set, so that the randomness is generated by your operating system (Figure 5).
![](/var/linux_magazin/storage/images/issues/2019/227/command-line-password-generators/figure-5/754117-1-eng-US/Figure-5_large.png)
Diceware's original dictionaries have inspired a number of refinements (see xkcdpass
). Diceware itself includes en
(English), en_eff
(based on Electronic Frontier Foundation modifications), en_orig
(the original Diceware dictionary), and en_securedrop
(English designed for security), which is the default. Each dictionary lists one word per line, prefaced with a sequential number, making the creation of a custom list an easy task.
xkcdpass
xkcdpass
[6] is a Python script inspired by a comic strip from the geekily popular xkcd comic (Figure 6). Instead of the usual mixture of characters, the strip advocates strings of words, maintaining that these strings are just as secure as a traditional password, and much easier to remember. xkcdpass
is designed to generate these strings [7].
![](/var/linux_magazin/storage/images/issues/2019/227/command-line-password-generators/figure-6/754120-1-eng-US/Figure-6_large.png)
xkcdpass
works by default with a word list called eff-long
[8], which was released by the Electronic Frontier Foundation under a Creative Commons Attribution license for the specific purpose of generating passwords. eff-long
, in turn, was originally a modification of Alan Beale's 12Dicts package for Aspell [9], which itself was based on the standard word list for Diceware. 12Dicts
consists of common English words of varying lengths originally derived from 12 different dictionaries, with outdated works, jargon, and scientific terms excluded. eff-long
consists of 7,776 words, listed one per line, with the first line numbered 1111 and the rest continuing in sequence. Generally, eff-long
is all that anyone needs, but other dictionaries are also installed: eff-special
, which contains 1,296 memorable words that are easier to remember but provide less security, and eff-short
, in which each word begins with a unique three-letter prefix that could be used one day for autocompletion. Dictionaries for Finnish, French, Italian, German, Norwegian, Portuguese, and Spanish are also available. Those who want greater security can also produce longer, more specialized lists if desired. All word lists are stored in /usr/lib/python3/dist-packages/xkcdpass/static/
.
The number of words in a password is five by default. However, --numwords=NUMBER
can be used to change the default, and --min=NUMBER
or --max=NUMBER
can be specified to control the length of each word. Still another way to customize the resulting password is to specify a regular expression with --var-char=REGEX
. For ease of memory, --acrostic=WORD
can be set, so that the first letter of each word spells out another word. For example, if the word supplied is "chaos," xkcdpass
might supply the password Church Hermann Auvergne Orthodox Sculptor (Figure 7).
![](/var/linux_magazin/storage/images/issues/2019/227/command-line-password-generators/figure-7/754123-1-eng-US/Figure-7_large.png)
Those who are security-conscious can include --verbose
to read the level of security supplied by a specific password. Yet another convenience is --interactive
, which continues to generate passwords until you accept one.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.