Generating Secure Passwords for your Linux Server

Sysadmins will often have to set up new servers or harden existing server passwords during security audits. As a result, secure passwords have to be chosen for SFTP, admin panels, etc.

Many practices make a server secure, but often neglected is using secure passwords.

Notice that I didn’t include SSH or MySQL root passwords above. If you are serious about security, these should not be accessible via a remote password login.

For SSH, you should already be using authentication keys and set PasswordAuthentication no in your SSHD config file.

For MySQL, you should use skip-networking bind-address = 127.0.0.1 and/or iptables to block port 3306 or restrict access to specific IP(s). If MySQL is on the same server, connect via sockets.

Generating secure passwords

For selecting secure passwords, here’s what is recommended:

• Passwords should be at LEAST 10 16 characters in length.
• Include letters (mixed case), numbers, and special characters.

Using pwgen to generate a secure password

Here’s my go-to command-line method for secure password generation. The command I use is:

pwgen -y 32

Even more secure and easy to remember using the word ‘sync’:

pwgen -sync 16

Read more about pwgen. On most Linux distros, you can install pwgen using the systems package manager. For example:

apt install pwgen

dnf install pwgen

Once installed, here’s an explanation of the command I’m using above. You can fine-tune it to meet your needs.

-s, –secure: Generate completely random, hard-to-memorize passwords.

-y, –symbols: Include at least one special character in the password.

-n, –numerals: Include at least one number in the password.

-c, –capitalize: Include at least one capital letter in the password.

16: the length of generated passwords.

Need fewer generated passwords? Use pwgen -sync 16 1 where 1 = the number of password results.

Using pass to generate a secure password

With pass, each password lives inside a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command-line file management utilities. Thus, pass is also a command-line password manager.

This is an updated article from 2013. Here’s the previous method from the original article…

Use the urandom command to generate secure passwords

Recommended urandom

< /dev/urandom tr -dc '[:graph:]' | head -c16;echo;

Right-hand only urandom

< /dev/urandom tr -dc '67890^*_+-=;:,.?yuiopYUIOPhjklHJKLbnmBNM' | head -c16;echo;

Left-hand only urandom

< /dev/urandom tr -dc '12345!@#$%qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c16;echo;

Making this into a simple easy to remember command

Edit your bashrc

vi ~/.bashrc

Add this line:

spw(){ insert one of the above options here }

Example:

spw(){ < /dev/urandom tr -dc '[:graph:]' | head -c16;echo; }

Save and restart the server, or even better, just reload bash using:

source ~/.bash_profile

Now in the future, just type the following to generate a secure password:

spw

Using these methods, it would take trillions of years to crack your password. This is why a strong password is essential.

Other Linux commands use OpenSSL, dd, and date to generate passwords, but urandom pwgen is my preferred method. Feel free to add your methods below.

Also, remember you should have security in place to avoid brute force password cracking. For example, after 5 failed attempts, the IP should be blocked and reported (for example, abuseipdb.com).

More on how I set up that in a later article.

Published: November 23rd, 2013
Last updated: July 27th, 2021