a common trick when generating random passwords is to Base64-encode random bytes

Originally shared by Sakari Maaranen

On UNIX and Linux systems, a common trick when generating random passwords is to Base64-encode random bytes; for example, this generates an 18 character long Base64-encoded password:

echo $(base64 /dev/random | head -c 18)

That’s fine, but the plus and slash (also underscore and hyphen) characters used in standard Base64-encoding schemes are laid out differently on the keyboard depending on country. This can cause trouble when trying to log on the machine, if the locale setting doesn’t match that of the actual keyboard used.

One way to solve this in environments where you need to deal with many locales, is to generate passwords using only those characters that are laid out the same regardless of locale.

Now try this:

echo $(cat /dev/random | tr -dc ‘!%,.0-9A-Xa-x’ | head -c 20)

Use one of the following strings between the single quotes on the above command line:

This generates a strong password that works the same with US, UK, German, and Scandinavian keyboard layouts:

!%,.0-9A-Xa-x (N=62)

If you don’t care about the German layout, you can use:

!%,.0-9A-Za-z (N=66)

If you want to support French as well, then you can only use:

0-9B-LN-PR-VXb-ln-pr-vx (N=50)

You can find the appropriate password length by replacing the desired bits of entropy for H and the above given value for N, typing the following in Google search:

H / (log(N) / log(2))

Always round the result up.

If you don’t know how many bits of randomness you need, just use H=96, but be warned: If you’re working on anything serious, you’d better educate yourself and make sure you know how many bits you want.



Leave a Reply