Generating Secure Passwords for your Linux Server
source link: https://haydenjames.io/generating-secure-passwords-for-your-linux-server/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Sysadmins will often have to set up new servers or harden existing server passwords during security audits. As a result, secure passwords have to be chosen for SFTP, admin panels, etc.
Many practices make a server secure, but often neglected is using secure passwords.
Notice that I didn’t include SSH or MySQL root passwords above. If you are serious about security, these should not be accessible via a remote password login.
For SSH, you should already be using authentication keys and set PasswordAuthentication no in your SSHD config file.
For MySQL, you should use skip-networking bind-address = 127.0.0.1 and/or iptables to block port 3306 or restrict access to specific IP(s). If MySQL is on the same server, connect via sockets.
Generating secure passwords
For selecting secure passwords, here’s what is recommended:
- Passwords should be at LEAST 10 16 characters in length.
- Include letters (mixed case), numbers, and special characters.
Using pwgen to generate a secure password
Here’s my go-to command-line method for secure password generation. The command I use is:
pwgen -y 32
Even more secure and easy to remember using the word ‘sync’:
pwgen -sync 16
Read more about pwgen. On most Linux distros, you can install pwgen using the systems package manager. For example:
apt install pwgen
dnf install pwgen
Once installed, here’s an explanation of the command I’m using above. You can fine-tune it to meet your needs.
-s, –secure: Generate completely random, hard-to-memorize passwords.
-y, –symbols: Include at least one special character in the password.
-n, –numerals: Include at least one number in the password.
-c, –capitalize: Include at least one capital letter in the password.
16: the length of generated passwords.
Need fewer generated passwords? Use pwgen -sync 16 1
where 1 = the number of password results.
Using pass to generate a secure password
With pass, each password lives inside a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command-line file management utilities. Thus, pass is also a command-line password manager.
This is an updated article from 2013. Here’s the previous method from the original article…
Use the urandom command to generate secure passwords
Recommended urandom
< /dev/urandom tr -dc '[:graph:]' | head -c16;echo;
Right-hand only urandom
< /dev/urandom tr -dc '67890^*_+-=;:,.?yuiopYUIOPhjklHJKLbnmBNM' | head -c16;echo;
Left-hand only urandom
< /dev/urandom tr -dc '12345!@#$%qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c16;echo;
Making this into a simple easy to remember command
Edit your bashrc
vi ~/.bashrc
Add this line:
spw(){ insert one of the above options here }
Example:
spw(){ < /dev/urandom tr -dc '[:graph:]' | head -c16;echo; }
Save and restart the server, or even better, just reload bash using:
source ~/.bash_profile
Now in the future, just type the following to generate a secure password:
spw
Using these methods, it would take trillions of years to crack your password. This is why a strong password is essential.
Other Linux commands use OpenSSL, dd, and date to generate passwords, but urandom pwgen is my preferred method. Feel free to add your methods below.
Also, remember you should have security in place to avoid brute force password cracking. For example, after 5 failed attempts, the IP should be blocked and reported (for example, abuseipdb.com).
More on how I set up that in a later article.
Published: November 23rd, 2013
Last updated: July 27th, 2021
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK