5

On One liner to create passwords in linux?, I see advice generally of the form head -c16 /dev/urandom | md5sum. They're all random combinations of text manipulation commands, sha1, base64 and md5sum and to me it seems like a shotgun approach. But how secure are these techniques really? Can you get a secure password just from a bunch of commands sloppily thrown together?

user107127
  • 51
  • 1

2 Answers2

4

First off: Those commands are not sloppily thrown together. They are stiched together such that they do the job.

And yes, of course they do their job. Hashing 16 bytes of entropy, expanding it to a longer (but printable) string, should be fine from a security perspective.

The definition of secure might be different for you, though. Usually, secure passwords are

  • long enough to not allow
    • brute force and
    • rainbow table attacks,
  • complex enough to not be guessed easily,
  • contain as much entropy as possible and
  • are intracktable with a dictionary attack.

All this is the case with the one liners. Please also note there is the famous XKCD about this which might interest you as well as it sheds some more light on the

It can be actually remembered by humans

part of password security.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • I think your idea of expanding it should include a true key stretching function such as those presented in RFC-2898 commonly known as pbkdf2. – jas- Apr 12 '16 at 02:38
  • But that's not a one-liner. Sure, there are better measures, but that was not the question. – Tobi Nary Apr 12 '16 at 09:45
  • 1
    @jas- There's no need for key-stretching if your key is already strong enough. 128 bits should suffice for now and the future. – SilverlightFox Apr 12 '16 at 10:33
  • While I don't disagree with the key size I would pose the question; why would anyone find the need to design, publish & implement the specified RFC if one hash of some random bits were sufficient? – jas- Apr 12 '16 at 10:47
  • 1
    @jas- go and ask that question then. I can link you to [a suitable Q&A site for that](https://security.stackexchange.com). – Tobi Nary Apr 12 '16 at 11:31
  • I already know the answer but thanks lulz – jas- Apr 12 '16 at 12:17
-3

It seems like good idea. I use a code like this:

head -c 2048 /dev/urandom |sha512sum |grep -oP '\d{1,2}' |tr -d "\n" |md5sum |awk '{print substr($0,0,8)}'

Explanation:

  • head -c 2048 - print 2048 bytes of data;
  • /dev/urandom - pseudo-device generated pseudo-random bits;
  • sha512sum - create sha256 check sum;
  • grep -oP '\d{1,2}' - take 1-2 long char digit from sha256 check sum output;
  • tr -d "\n" - delete newline char;
  • md5aum - create md5 check sum from "digit";
  • awk '{print substr($0,0,8)}' - print first 8 chars.

Example:

$ /dev/urandom >./GSCH

$ head -c 2048 ./GSCH |sha512sum
1d9272f18d0af714b8dfd0933956b2ca104a8ead0c02aa9b8f01349d2be45660307bdac4ee8036100a0d960a4ad4e8df11255457e39d7ffc12c6c85c8212144f

$ head -c 2048 ./GSCH |sha512sum |grep -oP '\d{1,2}'
1 92 72 18 0 71 4 8 09 33 95 6 2 10 4 8 0 02 9 8 01 34 9 2 45 66 03 07 4 80 36 10 0 0 96 0 4 4 8 11 25 54 57 39 7 12 6 85 82 12 14 4

$ head -c 2048 ./GSCH |sha512sum |grep -oP '\d{1,2}' |tr -d "\n"
192721807148093395621048002980134924566030748036100096044811255457397126858212144

$ head -c 2048 ./GSCH |sha512sum |grep -oP '\d{1,2}' |tr -d "\n" |md5sum
10c4616d3bc184b4a1dce47670e29890

$ head -c 2048 ./GSCH |sha512sum |grep -oP '\d{1,2}' |tr -d "\n" |md5sum |awk '{print substr($0,0,8)}'
10c4616d
techraf
  • 9,141
  • 11
  • 44
  • 62
Pavel Kulikov
  • 1
  • 2
  • 1
    This seems really silly. You're not getting any extra entropy by doing this, especially considering you just get the first few characters of the md5sum output. – forest Apr 12 '16 at 01:44