Generating Passwords

You’re setting up a new account somewhere and you’re asked to create a password for it. This should be simple, right? My head isn’t very good at coming up with random ones, so I fall back on letting the computer do the work for me.

The goals are simple:

  • We should be able to generate something long enough and random enough that attackers can’t simply guess them.
  • We need unique passwords for every site.
  • There should be no chance the password is exposed to anyone outside of the people that need it.
  • If it’s easy to remember without compromising the above, excellent!


apg – the Advanced Password Generator

“apg”, the Advanced Password Generator, is a command line utility that creates random passwords. You can decide how long it needs to be to match your password policy.

It’s included in most operating systems. To install, choose the appropriate command:

rpm-based Linuxes:

sudo yum install apg

deb-package-based Linuxes:

sudo apt install apg

MacOS with macports:

sudo port install apg

MacOS with homebrew:

sudo brew install apg

Windows with WSL 2.0:

Enter your WSL command prompt and use the above install command that matches the flavor of Linux you installed.


Using apg

To generate a new password, try the following:

apg -a 0 -m 16 -x 16 -M SNCL -E '015|' -n 1

The above options ask for a single (-n 1) readable (-a 0) password with a minimum (-m 16) and maximum (-x 16) length of 16 characters that uses characters from the Symbol, Number, Capital, and Lowercase character sets. “-E” specifically tells apg to not use the digits zero, one, or five, or the vertical pipe symbol to avoid confusion with similar looking letters.

Here’s an example of the output from the above command:

apg -a 0 -m 16 -x 16 -M SNCL -E '015|' -n 1 

Your output may differ. In fact, it darn well better differ. 🙂


Correct Horse Battery Staple

Randall Munroe is the author of the xkcd online comic ( ). His comics, books, blog posts, and online talks are both funny and insightful to a geeky audience, with wonderful references to internet and computing topics.

His “Password Strength” comic ( ) compares generating a long random password with generating a passphrase built up of random words. The comic has examples of both, and points out that the long random password is both difficult to remember and (relatively) easy to brute force guess (3 days in this example), while the random word passphrase is simple to remember and many orders of magnitude harder to brute force (550 years in this example).

I won’t try to analyze the accuracy of his math about the relative entropy/randomness (see for insights from people much brighter than I). I do agree with his other point that word phrases are much easier to remember, so would like to offer this as an alternative.


Web-Based Generator

The website at will generate these random word passphrases for you. If you’re concerned about the strength of a short phrase, you can increase the minimum number of words and/or the minimum phrase length.

I have no reason to distrust the owner of that website, but would simply point out that they could save these phrases as they’re generated. That’s why I’d prefer a:


Command Line Version

There are a couple of these you can use — see for a list of available tools. I’ll suggest a python-based version since you can always read the code before running it.

deb-packaged-based Linuxes:

sudo apt install xkcdpass

MacOS with Macports:

sudo port install py-xkcdpass

Python with Pip3:

pip3 install -U setuptools ; pip3 install xkcdpass


Using it

Once it’s installed, you can run:


to generate a passphrase. To see all the available options, use:

xkcdpass -h


Reading It Out Over the Phone

There’s one more side aspect to the process: getting it to the user that needs it. Reading the password/passphrase on a phone call or video conference runs the risk of misunderstanding; the sounds for many pairs of letters (think of “p,” “c,” “d,” and “e”) are similar, especially when the audio is scratchy.

The NATO phonetic alphabet ( gives you a better way to speak the individual characters. Instead of saying “p,” you’d use “papa.” “E” is “echo,” “d” is “delta,” and “c” is “charlie” — these 4 are far less likely to be confused than the individual letters.

The apg program has this covered. Simply add “-l” (“dash-ell,” ironically easy to mistake that for “dash-one” 😀) to the end of the command line to get both the password and the phonetic alphabet equivalent:

apg -a 0 -m 12 -x 12 -M SNCL -E '015|' -n 1 | tee -a /dev/stderr |
ECHO bravo echo uniform lima ECHO romeo backslash OSCAR mike sierra seven lf

While apg has this built in, there’s a standalone tool that also converts any text you feed it into the phonetic equivalent: This is handy if you use something other than apg to create passwords from scratch. Here’s an example:

apg -a 0 -m 12 -x 12 -M SNCL -E '015|' -n 1 | tee -a /dev/stderr |
ECHO bravo echo uniform lima ECHO romeo backslash OSCAR mike sierra seven lf

The “tee” command spits the password both to your screen (the “-a /dev/stderr” part) and to the next command in the pipeline, “”. That command converts the raw characters to their phonetic equivalents.

To install the utility, run the following 4 commands:

mkdir -p ~/bin/
cd ~/bin/
chmod 755 ~/bin/







  • Randall Munroe, the author of XKCD.  Randall has some excellent books at
  • Adel I. Mirzazhanov, the author of apg.
  • Aaron for reminding me about correct-horse-battery-staple!
  • Steven Tobin, the author of xkcdpass.
  • Keith and Aaron, for reviewing this.




Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To