Generating Passwords

You’re setting up a new account somewhere and you’re asked to create a password for it. This should be simple, right? My head isn’t very good at coming up with random ones, so I fall back on letting the computer do the work for me.
The goals are simple:
- We should be able to generate something long enough and random enough that attackers can’t simply guess them.
- We need unique passwords for every site.
- There should be no chance the password is exposed to anyone outside of the people that need it.
- If it’s easy to remember without compromising the above, excellent!
apg – the Advanced Password Generator
“apg”, the Advanced Password Generator, is a command line utility that creates random passwords. You can decide how long it needs to be to match your password policy.
It’s included in most operating systems. To install, choose the appropriate command:
rpm-based Linuxes:
sudo yum install apg
deb-package-based Linuxes:
sudo apt install apg
MacOS with macports:
sudo port install apg
MacOS with homebrew:
sudo brew install apg
Windows with WSL 2.0:
Enter your WSL command prompt and use the above install command that matches the flavor of Linux you installed.
Using apg
To generate a new password, try the following:
apg -a 0 -m 16 -x 16 -M SNCL -E '015|' -n 1
The above options ask for a single (-n 1) readable (-a 0) password with a minimum (-m 16) and maximum (-x 16) length of 16 characters that uses characters from the Symbol, Number, Capital, and Lowercase character sets. “-E” specifically tells apg to not use the digits zero, one, or five, or the vertical pipe symbol to avoid confusion with similar looking letters.
Here’s an example of the output from the above command:
apg -a 0 -m 16 -x 16 -M SNCL -E '015|' -n 1 Kin.DrudToddUrt7
Your output may differ. In fact, it darn well better differ. 🙂
Correct Horse Battery Staple
Randall Munroe is the author of the xkcd online comic ( https://xkcd.com ). His comics, books, blog posts, and online talks are both funny and insightful to a geeky audience, with wonderful references to internet and computing topics.
His “Password Strength” comic ( https://xkcd.com/936/ ) compares generating a long random password with generating a passphrase built up of random words. The comic has examples of both, and points out that the long random password is both difficult to remember and (relatively) easy to brute force guess (3 days in this example), while the random word passphrase is simple to remember and many orders of magnitude harder to brute force (550 years in this example).
I won’t try to analyze the accuracy of his math about the relative entropy/randomness (see https://www.google.com//search?udm=14&q=%22correct+horse+battery+staple%22+analysis#ip=1 for insights from people much brighter than I). I do agree with his other point that word phrases are much easier to remember, so would like to offer this as an alternative.
Web-Based Generator
The website at https://www.correcthorsebatterystaple.net/index.html will generate these random word passphrases for you. If you’re concerned about the strength of a short phrase, you can increase the minimum number of words and/or the minimum phrase length.
I have no reason to distrust the owner of that website, but would simply point out that they could save these phrases as they’re generated. That’s why I’d prefer a:
Command Line Version
There are a couple of these you can use — see https://github.com/topics/correct-horse-battery-staple for a list of available tools. I’ll suggest a python-based version since you can always read the code before running it.
deb-packaged-based Linuxes:
sudo apt install xkcdpass
MacOS with Macports:
sudo port install py-xkcdpass
Python with Pip3:
pip3 install -U setuptools ; pip3 install xkcdpass
Using it
Once it’s installed, you can run:
xkcdpass
to generate a passphrase. To see all the available options, use:
xkcdpass -h
Reading It Out Over the Phone
There’s one more side aspect to the process: getting it to the user that needs it. Reading the password/passphrase on a phone call or video conference runs the risk of misunderstanding; the sounds for many pairs of letters (think of “p,” “c,” “d,” and “e”) are similar, especially when the audio is scratchy.
The NATO phonetic alphabet (https://en.wikipedia.org/wiki/NATO_phonetic_alphabet) gives you a better way to speak the individual characters. Instead of saying “p,” you’d use “papa.” “E” is “echo,” “d” is “delta,” and “c” is “charlie” — these 4 are far less likely to be confused than the individual letters.
The apg program has this covered. Simply add “-l” (“dash-ell,” ironically easy to mistake that for “dash-one” 😀) to the end of the command line to get both the password and the phonetic alphabet equivalent:
apg -a 0 -m 12 -x 12 -M SNCL -E '015|' -n 1 | tee -a /dev/stderr | readablepassword.py EbeulEr\Oms7 ECHO bravo echo uniform lima ECHO romeo backslash OSCAR mike sierra seven lf
While apg has this built in, there’s a standalone tool that also converts any text you feed it into the phonetic equivalent: readablepassword.py. This is handy if you use something other than apg to create passwords from scratch. Here’s an example:
apg -a 0 -m 12 -x 12 -M SNCL -E '015|' -n 1 | tee -a /dev/stderr | readablepassword.py EbeulEr\Oms7 ECHO bravo echo uniform lima ECHO romeo backslash OSCAR mike sierra seven lf
The “tee” command spits the password both to your screen (the “-a /dev/stderr” part) and to the next command in the pipeline, “readablepassword.py”. That command converts the raw characters to their phonetic equivalents.
To install the readablepassword.py utility, run the following 4 commands:
mkdir -p ~/bin/ cd ~/bin/ wget https://raw.githubusercontent.com/william-stearns/readablepassword/main/readablepassword.py chmod 755 ~/bin/readablepassword.py
References
- APG source code mirror: https://github.com/jabenninghoff/apg
- Manual page: “man apg” or https://linux.die.net/man/1/apg
- The XKCD cartoon that inspired Correct Horse Battery Staple: https://xkcd.com/936/
- An online generator of CHBS passphrases: https://www.correcthorsebatterystaple.net/index.html
- xkcdpass package: https://pypi.org/project/xkcdpass/ and https://github.com/redacted/XKCD-password-generator
- readablepassword can be found at https://github.com/william-stearns/readablepassword
- The “Secrets in Your Data” episode ( https://www.pbs.org/wgbh/nova/video/secrets-in-your-data/ ) of Nova has a section on generating a multi-word passphrase using dice and a book containing a wordlist.
Thanks
- Randall Munroe, the author of XKCD. Randall has some excellent books at https://www.amazon.com/s?k=Randall+Munroe
- Adel I. Mirzazhanov, the author of apg.
- Aaron for reminding me about correct-horse-battery-staple!
- Steven Tobin, the author of xkcdpass.
- Keith and Aaron, for reviewing this.

Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.