

#PWGEN MAN PASSWORD#
What if you must be able to recall a password at a later date? The normal mode for pwgen is to create a set of random passwords that can’t be re-created. Of course, the idea is that the password should be easy to memorize, so when you start getting past 10 characters it starts getting fairly difficult. This way you can find one that looks easier to grapple with. For example, to get a 12-character password, use pwgen 12, and the utility will spit out a set of 120 possible passwords from which to choose (six columns, 20 rows). The default should be fine for most uses, but if you want a longer password, just use pwgen NN, where NN is the length of the password you’d like to generate. Each has at least one uppercase character and one number. None of the passwords are likely to be guessed, they’re not easily subject to dictionary attacks, and they should be suitable for most use cases. Let’s look at a few examples from its default output: Eisahpe6 ZiaGae4A ^8Ts'o9^ chahWah7 AciPoos7 Oofeeph1 ^13pwgen14^ ^15pwgen16^ When you use pwgen in its default mode, it creates a password that should be “pronounceable.” That doesn’t mean it will be a word, but it will have strings of characters you can wrap your tongue around to make it easier to memorize. The passwords created by pwgen are also meant to be easily memorized.

#PWGEN MAN GENERATOR#
Long before Ext4 was on the scene though, T’so hacked together this GPL’ed password generator that creates strong passwords - with a helpful twist. Password Generator is a utility written by Ted Ts’o, whom you may remember from such open source projects as the Linux kernel’s Ext4 filesystem. Enter Pwgen, a utility that generates random (but pronounceable) passwords.

One of my favorite tools for creating secure passwords is Password Generator, also known as pwgen, a utility that generates random (but pronounceable) passwords.Ĭoming up with good passwords is never easy. But for most practical purposes, if you just be sure to generate things that are a few characters longer than you otherwise might, then your gain in strength from generating a longer password will surely overwhelm the loss of strength from their non-uniform behavior.Coming up with good passwords is never easy. It is frustrating that popular password generators are hard to actually analyze in terms of strength. So between the relatively small modulo bias and the much larger deliberate bias toward more likely sounding syllables, it would require a level of analysis beyond what I am willing to do to actually calculate the min-entropy. It is a relatively small bias that comes up through a common design error when trying to pick a number between 1 and N even when the underlying random number generator is good. I have argued that we should be using min-entropy in such cases.Īdditionally, some versions of pwgen are subject to the modulo bias. There is no clear answer to what notion of entropy is most appropriate when password creation schemes when the schemes do not produce uniform output. A link to the video of the talk and the slides are here: Note I discuss this in my PasswordConLV15 talk. This is true of most "pronounceable" password generators. This is because it tries to mimic some of the frequencies we have in English. Some passwords are more likely than others. Pwgen does not produce passwords uniformly. The actual answer to your question is too hard for me to reasonably calculate, but I can say a few useful things about this. But it is far more than enough against automatized login scripts particularly if something (like a fail2ban) causes a hard, low limit to the possible tries. It means, that pwgen is probably quite sophistically tuned also for the high entropy, and not only to produce easily pronouncable passwords.ģ6 bit is not enough defense against gpu-accelerated, clustered brute force attacks. Typically, text data can be compressed to around 10% of its original size, while xz could reach only a 60% ratio. Note: although the output was a text file, xz could compress it only with a surprisingly bad ratio. Replayed measurements didn't show a significant dispersion.īased on this, the entropy of a single, 8 byte-long pwgen password is 8*8*593412/1048576 = 36.2 bits of entropy. Generates an 1MB long password, compresses it with the best known flags of the best known compressor, and measures the size of the output. The command pwgen 1048576|xz -9ve -|wc -c But I think we can use a strong compressor to approximate the entropy. An exact answer would require a deeper analyzis of the pwgen source code, or a more exact measurement.
