More and more persons are using a password storage system. Thanks to those systems, we can put complex passwords in our different applications. So, the next need is to create such complex password. This blog will explain how to do it. At the end of the blog, you will see how to perform this on OpenBSD in a simple and efficient way

Context

Based on different websites, providing such solutions, I've adapted them for the OpenBSD operating system.

Basically the different methods proposed are using /dev/random to generate some fuzzy characters, then we translate it into ASCII characters.

But, in OpenBSD, there is an other option using arc4random and very efficient, I let you check it at the end of this blog.

Based on /dev/random

The first possibility, is to use /dev/random.

This command generate random data of 32 bytes. Then, via the base64 encoder, we translate them into an ascii set of characters, then we conserve the 14 first characters.

/bin/dd if=/dev/urandom count=1 bs=32 2>&1 | /usr/local/bin/base64 -e | /usr/bin/head -1 | /usr/bin/cut -b -14

NOTE: the command above requires to have the package base64. If you do not have it, please do: doas pkg_add base64

If you don't want to install this extra package, and as commented by Bob here under, we could use the uuencode command available in OpenBSD:

/bin/dd if=/dev/urandom count=1 bs=32 2>/dev/null | /usr/bin/uuencode -m - | /usr/bin/sed '1d;$ d' | /usr/bin/cut -b -14

For your info, /dev/urandom and /dev/random are the same (on OpenBSD 6.4):

obsd-laptop:~$ ls -al /dev/*ran* lrwxr-xr-x 1 root wheel 7 Oct 27 17:29 /dev/random@ -> urandom crw-r--r-- 1 root wheel 45, 0 Mar 12 20:50 /dev/urandom

The above command produce such results:

hwzO6OmzxCDaml WCbibs4j7SFf+Y 5eVyipPIK4tKyO C/mIrq6g3+8p8h fMNgdA2Rlu20kQ

Based on openssl.

The 2nd often method is to use OpenSSL, specifically the "random" feature of it. The following command generate a random ASCII set and conserver the 14 first.

openssl rand -base64 32 | cut -b -14

This produce such results:

PUsmult9NXqZUK NKYSZ3jnEzPlhf EdPHfT9JAJMBHg 99GLscQDaTBG5x LvgATR50HpKLLI

What is a good password ?

Based on mathematical rules a minimum of 14 characters is ideal when we use only alphanumeric characters. Indeed, is such case, the "Massive cracking Scenario" is about 40 centuries. If we use symbols, we could use 12 characters.

The following website allows you to evaluate such mathematical rules:

https://www.grc.com/haystack.htm

Improved script to force symbols

Methods presented here above do not always contains symbols. To solve this situation, I propose you a simple script:

#CMD="/usr/bin/openssl rand -base64 32 | cut -b -12" CMD="/bin/dd if=/dev/urandom count=1 bs=32 2>&1 | /usr/local/bin/base64 -e | /usr/bin/head -1 | /usr/bin/cut -b -12" set -A SYMBOLS / + - count=0 while [[ $count -lt 100 ]] do passwd=$(eval $CMD) for symbol in "${SYMBOLS[@]}" do if [[ -z "${passwd##*$symbol*}" ]]; then echo $passwd exit 0 fi done count=$((count + 1)) done echo "Failed to generate a good password"

The full script can be downloaded here

In such case the results are:

nVE0aV+ieSqSO2 Hn/ZBEoMr9/M7Q 1hGDffDvEz/0he +VsQ+7W8Dc1lQR 4rZY/jOjAjLUBX

We always have at least once symbol. But, in encoding strings, the symbols are "/", "+" or "-". This could be a problem is a smart password cracker limits symbols to those 3 instead of the 33 available in order to optimize his cracking tool.

OpenBSD solution to generate passwords

I cannot close this topic without mentioning a tool present in every OpenBSD system: jot.

Thanks to such tool, you can generate random strings based on arc4random. The command to generate text is the following:

jot -r -c 12 32 127 | rs -g0

In few words, this command, generate 12 random numbers "-r" between 32 and 127. It displays it as a ASCII character "-c", then pass it to rs is order to display it in one row.

The results of such commands are:

UAE@j"|:m"/$ Q`)r^F-Y(DZk 5\Ayce!`8(<L :%%v/)PoY/B>

As you can see we have every type of symbols, and few of them are symbols not easy to use; either rejected by the applications, either difficult to use in a "password storage system".

gen_password based on jot

So, I propose you a script, based on jot, that generate random text with the symbols you want to use.

You can download the script here

In short, you can adapt the array CHAR to the symbols you want to use. In my script, I've put the following symbols

, . / + - _ @ # ;

By using this script without extra parameters, the results are the following:

yjzGuIP0n,tS 3R7XJ+nIr8AS n1seYDPvkg_k 0CUVb@JDCbJo cJSnR97wBh_O

As we can see, by default the script generate a password of 12 characters where 1 is a symbol.

But you can force other lengths. The accepted parameters of gen_password are:

gen_password [< number of alphanumeric char>] [ <number of symbols>]

So, you can do:

gen_password 8 4

That produce this:

_Hz0+@WV;kp6 #ex-f+13Ly_K D/RlPp@b.gY# +;x5Oo.E+pY9

With such tool you have more symbols than with openssl or with base64. Moreover you can decide how much symbols you want in your password

Conclusion

Once again OpenBSD amazed me by providing a powerful tool "jot" that allow us to generate random phrases.

Jot is simple to use and combined with some lines of shell script allow us to have a decent password generator.

Have fun with OpenBSD, and do not hesitate to let me a comment if you use my gen_password script.