LinkedIn Sourceforge

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

Simple way to generate strong passwords

Posted on 2019-03-16 16:19:00 from Vincent in OpenBSD Security

More and more persons are using a password storage system. Thanks to those systems, we can put complex passwords in our different applications. So, the next need is to create such complex password. This blog will explain how to do it. At the end of the blog, you will see how to perform this on OpenBSD in a simple and efficient way


Context

Based on different websites, providing such solutions, I've adapted them for the OpenBSD operating system.

Basically the different methods proposed are using /dev/random to generate some fuzzy characters, then we translate it into ASCII characters.

But, in OpenBSD, there is an other option using arc4random and very efficient, I let you check it at the end of this blog.

Based on /dev/random

The first possibility, is to use /dev/random.

This command generate random data of 32 bytes. Then, via the base64 encoder, we translate them into an ascii set of characters, then we conserve the 14 first characters.

/bin/dd if=/dev/urandom count=1 bs=32 2>&1 | /usr/local/bin/base64 -e | /usr/bin/head -1 | /usr/bin/cut -b -14

NOTE: the command above requires to have the package base64. If you do not have it, please do: doas pkg_add base64

If you don't want to install this extra package, and as commented by Bob here under, we could use the uuencode command available in OpenBSD:

/bin/dd if=/dev/urandom count=1 bs=32 2>/dev/null | /usr/bin/uuencode -m - | /usr/bin/sed '1d;$ d' | /usr/bin/cut -b -14

For your info, /dev/urandom and /dev/random are the same (on OpenBSD 6.4):

obsd-laptop:~$ ls -al /dev/*ran*
lrwxr-xr-x  1 root  wheel         7 Oct 27 17:29 /dev/random@ -> urandom
crw-r--r--  1 root  wheel   45,   0 Mar 12 20:50 /dev/urandom

The above command produce such results:

hwzO6OmzxCDaml
WCbibs4j7SFf+Y
5eVyipPIK4tKyO
C/mIrq6g3+8p8h
fMNgdA2Rlu20kQ

Based on openssl.

The 2nd often method is to use OpenSSL, specifically the "random" feature of it. The following command generate a random ASCII set and conserver the 14 first.

openssl rand -base64 32 | cut -b -14

This produce such results:

PUsmult9NXqZUK
NKYSZ3jnEzPlhf
EdPHfT9JAJMBHg
99GLscQDaTBG5x
LvgATR50HpKLLI

What is a good password ?

Based on mathematical rules a minimum of 14 characters is ideal when we use only alphanumeric characters. Indeed, is such case, the "Massive cracking Scenario" is about 40 centuries. If we use symbols, we could use 12 characters.

The following website allows you to evaluate such mathematical rules:

https://www.grc.com/haystack.htm

Improved script to force symbols

Methods presented here above do not always contains symbols. To solve this situation, I propose you a simple script:

#CMD="/usr/bin/openssl rand -base64 32 | cut -b -12"
CMD="/bin/dd if=/dev/urandom count=1 bs=32 2>&1 | /usr/local/bin/base64 -e | /usr/bin/head -1 | /usr/bin/cut -b -12"
set -A SYMBOLS / + -
count=0
while [[ $count -lt 100  ]]
do
    passwd=$(eval $CMD)
    for symbol in "${SYMBOLS[@]}"
    do
        if [[ -z "${passwd##*$symbol*}" ]]; then
            echo $passwd
            exit 0
        fi
    done
    count=$((count + 1))
done
echo "Failed to generate a good password"

The full script can be downloaded here

In such case the results are:

nVE0aV+ieSqSO2
Hn/ZBEoMr9/M7Q
1hGDffDvEz/0he
+VsQ+7W8Dc1lQR
4rZY/jOjAjLUBX

We always have at least once symbol. But, in encoding strings, the symbols are "/", "+" or "-". This could be a problem is a smart password cracker limits symbols to those 3 instead of the 33 available in order to optimize his cracking tool.

OpenBSD solution to generate passwords

I cannot close this topic without mentioning a tool present in every OpenBSD system: jot.

Thanks to such tool, you can generate random strings based on arc4random. The command to generate text is the following:

jot -r -c 12 32 127 | rs -g0

In few words, this command, generate 12 random numbers "-r" between 32 and 127. It displays it as a ASCII character "-c", then pass it to rs is order to display it in one row.

The results of such commands are:

UAE@j"|:m"/$
Q`)r^F-Y(DZk
5\Ayce!`8(<L
:%%v/)PoY/B>

As you can see we have every type of symbols, and few of them are symbols not easy to use; either rejected by the applications, either difficult to use in a "password storage system".

gen_password based on jot

So, I propose you a script, based on jot, that generate random text with the symbols you want to use.

You can download the script here

In short, you can adapt the array CHAR to the symbols you want to use. In my script, I've put the following symbols

 , . / + - _ @ # ;

By using this script without extra parameters, the results are the following:

yjzGuIP0n,tS
3R7XJ+nIr8AS
n1seYDPvkg_k
0CUVb@JDCbJo
cJSnR97wBh_O

As we can see, by default the script generate a password of 12 characters where 1 is a symbol.

But you can force other lengths. The accepted parameters of gen_password are:

gen_password [< number of alphanumeric char>] [ <number of symbols>]

So, you can do:

gen_password 8 4

That produce this:

_Hz0+@WV;kp6
#ex-f+13Ly_K
D/RlPp@b.gY#
+;x5Oo.E+pY9

With such tool you have more symbols than with openssl or with base64. Moreover you can decide how much symbols you want in your password

Conclusion

Once again OpenBSD amazed me by providing a powerful tool "jot" that allow us to generate random phrases.

Jot is simple to use and combined with some lines of shell script allow us to have a decent password generator.

Have fun with OpenBSD, and do not hesitate to let me a comment if you use my gen_password script.



47, 53
displayed: 11218
Comments:

1. From bob on Sun Mar 17 20:49:33 2019

You could use uuencode for base64 encode too, it is in OpenBSD base, something like this: dd if=/dev/urandom count=1 bs=32 2>/dev/null | uuencode -m - | sed '1d;$ d' I think it is better to write stderr to /dev/null instead of piping the written records and encode it as base64 :)

2. From Vincent on Sun Mar 17 21:07:06 2019

Indeed Bob. Many thanks for this remark. This avoid to add the base64 package. (the text has been adapted)

3. From Stefan on Mon Mar 18 15:44:31 2019

Hi Vincent, really like your OpenBSD-based script: If you have to enter a PW with the keys mapped to English but your keyboard has non-English layout your script allows to focus on those symbols whose position are known. Additionally your script allows to add a blank as symbol thus randomly generating passphrases. Well done! Thank you very much for sharing!

4. From Vincent on Mon Mar 18 16:32:46 2019

Thanks for the comment Stefan. Idea to keep characters that map different keyboard is interesting. But I attrack your attention that in such case , you must adapt the 2 following line
getrandom $LEN_ALMNUM 1 61
getrandom $LEN_SYM 62 $max
Because in your case, 61 and 62 will no more the case (62 = 26 + 26 + 10). Anyhow, It's not my plan to re-type passwords. I prefer to use tools that either re-type passwords them self, either they use the clipboard, and I just past it. But that's an other topic ;-)




What is the second letter of the word Python?