Very often sysadmins will have to setup new servers or harden existing server passwords during security audits. As a result, secure passwords have to be chosen for root, cPanel accounts, ftp, etc. There are many composite practices that make a server secure, but often overlooked is using secure passwords.

Notice that SSH or MySQL root passwords were not included above. This is because if you are serious about security these should not be accessible via remote password login. For SSH, you should already be using authentication keys and set PasswordAuthentication no in your sshd config file. For MySQL you should use skip-networking bind-address = 127.0.0.1 and/or iptables to block port 3306 or restrict access to spcific IPs. If MySQL is on the same server, connect via sockets. In any case, using secure passwords for MySQL is still recommended.

Generating secure passwords

For selecting secure passwords, here’s what is recommended:

Passwords should be at LEAST 10 16 characters in length.

Include letters (mixed case), numbers and special characters.

Using pwgen to generate secure password

Here’s my go-to command line method for secure password generation. The command I use is:

pwgen -y 32

Even more secure:

pwgen -ys 32

More about pwgen here. On most Linux distros you can install pwgen using the package manager. For example:

apt install pwgen

or

yum install pwgen

Once installed, here’s an explanation of the command I’m using above. You can fine tune to meet your needs.

-y, –symbols Include at least one special character in the password.

-s, –secure Generate completely random, hard-to-memorize passwords. These should only be used for machine passwords, since otherwise it’s almost guaranteed that users will simply write the password on a piece of paper taped to the monitor…

32 the length of generated passwords.

Need fewer generated passwords? Use pwgen -ys 32 1 where 1 = the number of password results.

Here’s an example of passwords generated DO NOT USE THESE!

eich]ai+J5oophei7ir`iegoothah0ee

Ahfahz!u6Aivoo^Ph”oaGoo!veisa1Ni

Mo8quah<c{o%a@v3feequouquahcheeF

iop,oojoh:M$eD3Ohp7queeje9thee?B

Using pass to generate secure password

With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities. Thus, pass is also a command line password manager.

# Thanks +Mike Carden.

This is an updated article from 2013. Here’s the previous method from the original article…

Use the urandom command to generate secure passwords

Recommended urandom

< /dev/urandom tr -dc '[:graph:]' | head -c16;echo;

Right-hand only urandom

< /dev/urandom tr -dc '67890^*_+-=;:,.?yuiopYUIOPhjklHJKLbnmBNM' | head -c16;echo;

Left-hand only urandom

< /dev/urandom tr -dc '12345!@#$%qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c16;echo;

Making this into a simple easy to remember command

Edit your bashrc

vi ~/.bashrc

Add this line:

spw(){ insert one of the above options here }

Example:

spw(){ < /dev/urandom tr -dc '[:graph:]' | head -c16;echo; }

Save and restart server or even better just reload bash using:

source ~/.bash_profile

Now in future just type the following to generate a secure password:

spw

Using these methods it would take at best trillions of years to crack your password. This is why a strong password is VERY important. There are other linux commands that use openssl, dd and date to generate passwords, but urandom pwgen is my preferred method. Feel free to add your methods below. Also remember you should have security in place to avoid brute force password cracking. For example after 5 to 15 failed attempts the IP should be blocked permanently and reported (for example: abuseipdb.com).

Add your methods and suggestions…