Random Password generator, with real words.

[wuxmedia]

My First 'from scratch' bash script.

Some comments from collegues:
Why all the variables?
Why not just use pwgen?

all valid points...
anyway;

Code: Select all

## Random Personal Password generator.
## Inspired by www.passweird.com
## Dodgy bash script by WuX

# 2 Numbers chosen to pick a random word from dictionary
WORDNUMBER=($RANDOM * $RANDOM)
WORDNUMBER2=($RANDOM * $RANDOM)

# Get how many words are in dict/
LISTNUMBER=`wc -w /usr/share/dict/words | cut -c1-5`

# Modulo those two variables to make 2 constrained random numbers
MAGICNUMBER=$(($WORDNUMBER % $LISTNUMBER))
MAGICNUMBER2=$(($WORDNUMBER2 % $LISTNUMBER))

# Get a random word with 'p' appended so sed doesnt add a newline, sed any damn " 's " off of the word.
RNDWORD=`sed -n $MAGICNUMBER"p" /usr/share/dict/words | sed s/\'s//`
RNDWORD2=`sed -n $MAGICNUMBER2"p" /usr/share/dict/words | sed s/\'s//`

# make a 2 digit random number
RND=($RANDOM / $RANDOM)
RND=`echo $RND | cut -c 1-2`

# Add them together, split with a hyphen, short random number appended.
PASS="$RNDWORD"-"$RNDWORD2""$RND"

# Lighty L33t it

echo $PASS | tr [eos] [305]

Cons, (TO DO)
Full of hideous overly complex bash techniques.
No switches, no options in general.
Occasionally uses a non ascii letter.
Not a lot of different passwords generated at once.

Pros,
No dependencies.
Very strong passwords, but sometimes too long.
It works.


Samples;

Code: Select all

c3ll0phan3-H3rrick11
Whit3h0r53-c0pil0t570
abridg3d-c0n5truct3d25
c0ntrivanc3-adm0ni5h3d32
Elt0n-c0qu3tt323
c0ngr3gati0n5-Jahangir62
Grail-bl00m18
am3ndm3nt-c0rr35p0nd3nt17
Hayw0rth-c0rr3ct3r16
c0nj0ining-Th0r0ughbr3d29

Comments welcome. Hahahah

EDIT, might drop the l33ting on one word and lose the number at the end
seems as strong a pass and easy to read/remember

[machinebacon]

I like it, though I'd recommend to keep the l33ting and the number, because password crackers use exactly the /dict from which you generate the password list (see "John", shipped with BBQ)

[wuxmedia]

Aaah, Thanks Bacon.
Cyptography, like bash scripting - isn't one of my strong points. 8)

[rhowaldt]

actually, password crackers *also* use the l33t1ng and such. they know their shit.
still, a nice script wux, well done!

[wuxmedia]

thanks.
used it for a customer today, although just one word. as it was a low security acct.

[johnraff]

Thanks wux, some code in there I'll probably lift...

Memorable but strong passwords have been an problem for everyone I guess. (I've got pages of random passwords written down, so if a burgular got physical access and figured out what they were for I'd be done I suppose.)

Some people suggest pass sentences, but I don't know if that would help.

[wuxmedia]

Well, everyone here at work uses pwgen, I cordially dislike it.
The only half decent setting is 'pwgen 8 -B' and then pick one that people can half remember.

I like this because after about ten goes, it pushes out one which creates an mental image, 'c0nj0ining-Th0r0ughbr3d29' for example.

occasionally have to transmit a passwd by phone, which sucks explaining capital this and "is that a zero or a cap 'O'?"
I'd rather say your pass is 'squishy-hyphen-boobies' 3's for E's and Zero's for O's.
do everything 'server' side... 8)
then it's up to them after to change it to 'trustno1'

John, nabbing some of the code in there? wow! I'm honoured.
pass phrases/sentences seem good, but for me hard to generate, they tend to be longer than allow.

interesting;
http://www.codinghorror.com/blog/2005/0 ... rases.html

[wuxmedia]

slightly tidier and now makes multiple pass words at once!
new version on github now.
I know, you can't wait - right? 8p

[dkeg]

Really great wux. In going to use it.

[jeffreyC]

Thanks wux, some code in there I'll probably lift...

Memorable but strong passwords have been an problem for everyone I guess. (I've got pages of random passwords written down, so if a burgular got physical access and figured out what they were for I'd be done I suppose.)

Some people suggest pass sentences, but I don't know if that would help.

Oldish computer security/hacking/cracking saying: "Physical access IS root access."

[DebianJoe]

(I've got pages of random passwords written down, so if a burgular got physical access and figured out what they were for I'd be done I suppose.)

If someone broke into my home and got my passwords, I think I'd be far more concerned about the fact that someone broke into my home than them having access to my computer.

I'm actually laughing about the very idea of a thief with physical access to my computer:

Code: Select all

* (scan '(:sequence
           (:register
             (:greedy-repetition 0 nil
                                 (:char-class (:range #\a #\z))))
           (:filter my-info-filter 0) "X")
        "bYcdeX")

"...what the hell is this?" -- Imaginary Thief.

[wuxmedia]

...physical access and figured out what they were for I'd be done I suppose.)

Some people suggest pass sentences, but I don't know if that would help.

Oldish computer security/hacking/cracking saying: "Physical access IS root access."

Where I work that's true, anyone ever /bin/bashed a machine to get root?

@dkeg - thanks man! didn't see your post till just now!

[johnraff]

(I've got pages of random passwords written down, so if a burgular got physical access and figured out what they were for I'd be done I suppose.)

If someone broke into my home and got my passwords, I think I'd be far more concerned about the fact that someone broke into my home than them having access to my computer.

There's not much worth stealing here. (I've heard that can be worse - burgulars with nothing to steal get pissed off and make a mess.) I'm not worried about access to what's in the computer - bunch of bash scripts, some photos and music - but passwords like paypal or my UK bank, email accounts... So it's not so much physical access to the box as physical access to the passwords.

[machinebacon]

Added to newest release - script is named "passwux"!

Thanks for your contribution!

[wuxmedia]

Wow, I'm honoured Gentle Sir!
Thanks!
I did actually update it to spit out 20 passes for variety, it's on github, I assume that was the version included?
No matter to me, if not.
made my day!


BTW great name, why didn't I think of that?

[machinebacon]

Oh yes, I will use the github version, thanks for reminding me :)

[wei2912]

Being a paranoid cryptography guy security conscious guy, I'd suggest using an external source of entropy combined with /dev/urandom (similar to what GPG does when it generates a key).

Still, this should be good enough. :)

[wuxmedia]

Thanks, The main idea was to have a pass that one can remember, for a short time, which allowed the user to change after, but be secure enough to remain, should they not do so - or forget.

I just had a couple too many customers look at a password like 1LIi0OK0Ol1 (which in sans serif fonts - iphone, i'm looking at you) is impossible to decipher.
And as John said - they have to write this gibberish down anyway, and with the other gibberish passwords they have to annotate it, keep it in their pocket..so what's the point?

[machinebacon]

t43r315n0p01nt :D

[wuxmedia]

1|\||)33|) 8p