2

I saw this post here that mentions one method of generating cryptographically secure passwords. Recently, I was given a similar task and took a different approach.

One of the answers in that questions used the following

tr -dc '[:alnum:]' < /dev/urandom | head -c20

My method looked more like the following:

dd if=/dev/urandom bs="$password_length" count=1 | base64

I didn't have a requirement for it to be alphanumeric-only, and no requirement for it to contain symbols or anything like that. The only requirements were that it's 8 characters minimum (I went with 80 in practice because, if it only needs to be read/used by a machine, why not?), and hard to guess.

Is there any (cryptographically significant) difference between the two methods (aside from length)?

1 Answers1

2

Aside from length, no there is no difference at all. The former generates a 20 character password with a keyspace of 6220, whereas the latter generates a password with a keyspace of 28×bytes. Assuming bytes is at least 16, you will get 128 bits of entropy which is considered a safe minimum. Both these commands get their entropy directly from /dev/urandom. However, you do not need to use dd for this purpose which is rather inefficient. You can safely and slightly more efficiently use:

head -c"$bytes" /dev/urandom | base64
forest
  • 64,616
  • 20
  • 206
  • 257
  • 1
    `[:alnum:]` is 62 in an ASCII-only locale like C or POSIX, and more in a non-English but single-byte (usable with urandom) locale. – dave_thompson_085 Apr 18 '18 at 05:32
  • Wow, I just realized I had been thinking of the alphabet as having 24 characters, not 26. I've been staring at too much disassembly... – forest Apr 19 '18 at 07:42