Command line tool to generate memorable passwords?
I've since moved on to XCKD style passphrases for most of my passwords. Here is a 1 liner from commandlinefu to generate a passphrase:
shuf -n4 /usr/share/dict/words | tr -d '\n'
2020: I posted this answer in 2011. In the years that have passed, the face of cyber security and the demands to it have changed rapidly and enormously. As has been pointed out by anarcat, pwgen may not (or no longer) be suitable for securing high-security systems. He sets out to describe the technical details on how pwgen can, in some circumstances, use insecure methods of password derivation from available entropy in his article. Although I no longer believe in generating passwords to then try and remember them myself, I do not have the technical aptitude to validate, let alone vouch for the contents of the article as quoted so please read it and draw your own conclusions. Having said that, I am convinced that pwgen will suffice for low-security systems where attack is very unlikely.
You might want to check out the pwgen
application. I know it to be available in the Ubuntu, Fedora, Debian and Suse repositories.
From the man page:
The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. Human-memorable passwords are never going to be as secure as completely completely random passwords. In particular, passwords generated by pwgen without the -s option should not be used in places where the password could be attacked via an off-line brute-force attack. On the other hand, completely randomly generated passwords have a tendency to be written down, and are subject to being compromised in that fashion.
The pwgen program is designed to be used both interactively, and in shell scripts. Hence, its default behavior differs depending on whether the standard output is a tty device or a pipe to another program. Used interactively, pwgen will display a screenful of passwords, allowing the user to pick a single password, and then quickly erase the screen. This prevents someone from being able to "shoulder surf" the user's chosen password.
I would recommend people stop using pwgen - its main interested was generating "human-rememberable passwords", but it showed multiple vulnerabilities in doing exactly that. And using it to generate completely random strings isn't that useful either.
I wrote a detailed article on that very topic, but basically, the gist of it is to use the diceware program (or, if you like dice, the actual diceware system) or xkcdpass. To generate strong memorable passwords, I generally use diceware with the following configuration file:
[diceware]
caps = off
delimiter = "-"
wordlist = en_eff
Examples:
$ diceware
turkey-eligibly-underwire-recite-lifter-wasp
$ diceware
lend-rubdown-cornflake-tint-shawl-ozone
$ diceware
syndrome-ramp-cresting-resolved-flinch-veneering
$ diceware
alto-badass-eclipse-surplus-rudder-quit
I turn off caps and spaces because they generate distinct audible noises that could be leveraged by an attacker. The -
delimiter is a lesser evil: it would be better to not use any separator and the en_eff
wordlist is especially crafted for that purpose. But I find it easier to communicate and share passwords when they have some separator.
To generate a completely random password, I use the following shell function:
# secure password generator or, as dkg puts it:
# high-entropy compact printable/transferable string generator
# a password generator would be pwqgen or diceware
pwg() {
ENTROPY=${1:-20} # in bytes
# strip possible newlines if output is wrapped and trailing = signs as they add nothing to the password's entropy
head -c $ENTROPY /dev/random | base64 | tr -d '\n='
echo
}
I mention this because I believe it is important to memorize less passwords and instead rely on a password manager to store large strings that are hard to guess. More details about the rationale behind those choices is explained in the aforementioned article and my password managers review.