Cover V11, I07

Listing 1


Generating Passwords with

Matt Lesko

This article describes a method of choosing secure passwords and a tool that I wrote to generate passwords of that nature. The tool is called and was inspired by Mark Pors' SortOfPronounceable-Password-Generator (available from along with a number of improvements. The generator presented here has many additional features, all designed to facilitate the use of secure passwords, and is licensed under the GPL.

Secure Password Theory

There are two main methods of cracking a password from the cipher-text (assuming the cipher is known and secure): dictionary attacks and brute force attacks. A dictionary attack is based on the fact that most passwords will appear in the dictionary (e.g., "password" or "snowball"). Simply trying all English words will crack a large number of passwords. Brute forcing tries every single character combination, often just the alphanumerics, and will crack passwords such as "july1984" without much more difficulty than the dictionary attack. A common solution is to require users to use passwords such as Gy43^%zA. A password of this sort is quite secure against password-cracking tools, but fails one important test: memorability. When forced to use passwords like this, most users will write down the password and attach it to their monitor, keyboard, desk, etc., thereby compromising security. creates passwords that will hold up against a password cracker, but are far easier to remember. Essentially, the program will (when executed to do so with appropriate options) take two random words from the system's dictionary file, insert a random digit and a special character (as in, $, %, &, etc.), and output the sum of these elements as a password. An example of the typical output is:

Installation and Configuration
Before you use, be sure that you have Perl installed, and know the location (often /usr/bin/perl). The script is reproduced in its entirety in Listing 1. It can also be obtained from the Sys Admin Web site or:
The only configuration that is required is to edit the location of your dictionary file. On most systems that I have encountered, this is located at /usr/dict/words or /usr/share/dict/words. If your system is different, edit line 14 ("my $dictionary = ...") so that it points to the correct place. If for some reason your system does not have a functioning dictionary file, I suggest you contact your vendor. Foreign language dictionaries have not been tested with this script, but I anticipate no reason why they would not work.

Once you have pointed in the right direction, copy it to a central location, such as /usr/local/bin, and inform your users of its presence and usage. My recommendation is to secure it with the permissions 0755 so that it will be globally executable by users on the system, who can then use it to create new passwords. If you wish to impose a certain password policy upon your users, you can write a shell script that calls with only the arguments that you specify. Due to the nature of the script, there is little reason not to make it available to your users as a general purpose tool; the only file read is /usr/dict/words, and the script does not have to be executed by a trusted user -- all users can use it without fear of causing any damage.


When executed without any options, will return ten passwords, consisting solely of two random words from the dictionary, concatenated together. If the dictionary file is missing, or not located in /usr/dict/words, the program will cease execution until you update the script with the location of your dictionary file (located at line 14). As discussed previously, two dictionary words alone are not very secure; therefore, we should add some options. The script accepts standard-style options (-h) and GNU-style options (--help). To get a list of the options from the program itself, run it with the help option -- either -h or --help.

The options supported by are:

-h, --help -- This option prints the options list, and a brief summary of the program.

-1, --oneword -- This option will force the program to use only one random word, as opposed to two; the default is "off" (or, to print two words). This option should be used when passwords have a limited effective length (such as older UNIX systems) where only eight characters have any effect on security.

-n, --number -- Adds a random, two-digit number to the password (the number of digits can be changed). By default, this option is off.

-s, --special -- Prints one special character (~, !, @, #, $, %, ^, &, *, (, ), _, -, +, or =) in the password (the number of special characters can be changed). By default, this option is off.

-l, --l33t -- Forces "l33t-sp34k" style passwords, (i.e., replaces "e" with "3", "o" with "0" (zero), "i" with "1", "a" with "4", "t" with "7", and "s" with "$").

-w=x, --word=x -- Forces the words chosen at random to be of a certain character length. The default setting is five, and can range from three to eight.

-d=x, --digit=x -- Forces the number of digits to be a certain length. For this option to have any use, the number option must be added (obviously). The number of digits can range from one to eight, and the default is two.

-g=x, --slength=x -- Forces the number of special characters to be a certain length. The default is one, and there can be up to eight.

-p=x, --passwords=x -- Forces a certain number of passwords to be printed. The default is ten.

I recommend using at least at a two-digit number and one special character, and possibly "l33t-sp34k" if your brain can easily remember it. Some machines have an eight-character effective limit, so don't get carried away and create a gargantuan password if only the first eight characters will be used. And, most importantly, remember that this generator is for password suggestions. If you don't care for the passwords suggested, run it again, or simply invent your own. I welcome any questions, comments, or additions you might have.

Further Reading

This article is not an exhaustive attempt at creating secure passwords. It should mainly be used for those organizations and users that need passwords that are easy to remember, yet not susceptible to attack. For information on implementing password security, see the FIPS 112 document, available at:
For a pronounceable password tool, see FIPS 181 for the theory:
for a Java applet similar to FIPS 181. Both of these rely on creating the password from random English syllables as opposed to words. Also, the APG (Automatic Password Generator), written by Adel I. Mirzazhanov, at:
provides random passwords in both a standalone and network version, in accordance with RFC972 (

Matt Lesko has worked as a systems administrator supporting Solaris, AIX, Linux, and OpenBSD for the past three years. He can be contacted at: