To appreciate the limitations of using openssl rand for password generation, consider the following list of passwords generated using openssl rand -base64 16.
ePBz52RSaAvrOfG2a3ATxg== Pbxb2ibu0/YgoHLa4Qisnw== e7ERZ/wQ0SdKJ68oQTR1qA== faJgjNgQLDCqCSkkoq+b/w== ZoVQ/52qWvrmt3KideUO4w== wC9wtt0hBBOOq3bOukN+nA== +YEoFC7/lmgaPSzGF2lEVA== 9skoC89aWe1/odqA/ykxuA==
We see that openssl rand will generate passwords using upper and lowercase letters, numbers and some special characters. On closer inspection though, we notice that passwords are not as random as they could be. Some observations include:
- The = appears to be used as padding the end of the password.
- The only special characters used within a password that I could generate were + and /.
- On average, zero, one or two special characters are included within the password
The other quirk to notice is that there are 24 characters in the password. It difficult to relate this back to the command string. It turns out the padding and password length can be explained as follows:
One note on the OpenSSL base64 command: the number you enter is the number of random bytes that OpenSSL will generate, *before* base64 encoding. Base64 then produces four bytes of output for every three bytes of input – meaning that the number on the command line should be 3/4 of the desired password length. So, for example, if I wanted a 16 character password, the command I would need would be “openssl rand -base64 12” .
If your input number isn’t a multiple of 3 – that’s when you get the = signs at the end of the base64 output, to pad out the remaining space to finish a block of four output bytes.
How To Generate Random Numbers and Password with OpenSSL Rand
After considerable research and experimentation, I’ve come up with a bash function for generating very random passwords using /dev/urandom. It takes as an input a number representing the length of the desired password.
rand() {
local rnum=$(LC_ALL=C tr -dc 'A-Za-z0-9 !"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c "$1" ; echo)
echo $rnum
}Consider the following list of random passwords using $(rand 24):
lqcvcO9&ieotV$mRi^x_x2,?
*ESnExD'*BLWS8NW5s]=%]:'
spLja?wRph|@221"3Mc8OBm+
_nr{b,poR{~,U$|p,zxB!dlp
`T5#BQ8~pUf6/*.YOC%u]fS*
##@E|6DMX9'^S-^EfE=-5f+:
I5Rk~+d9I%z[]BkO$b#&%W}d
doa!niWl[I|;_KowiuB'f;x)It’s quite apparent that the list of passwords generated using the function is much more random than those generated using openssl rand.
A couple of things to note about the extended rand() function:
- A quote character ‘ is represented by the bits in red.
- A quirk of FreeBSD requires the minus (-) character to be placed at the end of the string of special characters when using a reduced set of special characters. If not, full-stops (.) and commas (,) are included in the generated password even if these are excluded from the string of special characters.
- I wasn’t able to generate a password with the backslash character (\). There may be other special characters that FreeBSD will not include in a password.
- When using the
sedcommand with therandfunction, avoid the special characters ampersand (&) and pipe (|) as well.
Disallowed special characters for various FreeNAS programs:
| Program | Disallowed Special Characters | Notes |
|---|---|---|
| sed | & | | The pipe symbol (|) is often used as a delimiter. |
| mysql | ” \ | Passwords |
| phpMyAdmin | \ | Blowfish secret requires two backslashes (\\) to represent a single backslash (\). Avoid using it in password generation. |
| wp-config.php | ” ‘ \ | Authorisation keys and salts. These characters were not seen. |
| bash | ” ‘ space `$ | Single and double quotes are often used as string delimiters. Where there are no spaces in a string, delimiters can often be omitted. |
A well behaved rand function for FreeNAS excludes all the disallowed characters identified in the table above.
rand() {
local rnum=$(LC_ALL=C tr -dc 'A-Za-z0-9!#%()*+,-./:;<=>?@[]^_{}~' </dev/urandom | head -c "$1" ; echo)
echo $rnum
}References
Comments