Generating a random password from command line

The following uses openssl to generate a random binary sequence “N” bytes long encoded in hex or base64. The “N” is all important. If you use base64 you get uppercase characters in the string which some sites require, you can also use hex which makes for a more readable string but it will be longer. If the people cracking your password are using an offline database (rainbow table) to crack the password longer random strings are better (this assumes they don’t know how you encoded your random bytes).

openssl -rand -base64 32

openssl -rand -hex 32

How long should “N” actually be? This table at wikipedia lists the given entropy in bits for various character sets. If using hex and you want 80 bits of entropy you need 16 bytes. Base64 is not listed but the character set has 64 symbols so the entropy is similar to the case sensitive with numbers which has 62 symbols so 80 bits would require 12 bytes. The number of bits you choose for entropy is up to you. Generally the longer the better and with tools like LastPass there are no reasons not to use 20 or more bytes per password.

Leave a Reply

Your email address will not be published. Required fields are marked *