How to generate good passwords with pwgen

Whenever I change passwords on my systems, I need try to think up ones that will be hard to crack as well as easy to remember and to type. I suck at that.

Fortunately, Linux has a tool for that. The pwgen command is designed to generate a list of random — sort of — passwords from which you can choose the one that will be easiest for you to remember and type. The pwgen program is designed to create passwords that are at least somewhat memorable because — as the man page says, “…completely randomly generated passwords have a tendency to be written down, and are subject to being compromised in that fashion.“

Installing pwgen

The Fedora spin I use doesn’t install pwgen so you’ll need to install it yourself. This must be done as root.

# dnf -y install pwgen

You can install pwgen on Ubuntu and Mint systems, as well as other Ubuntu-based distros.

# apt install pwgen

The basics

By default, pwgen generates passwords that have phonetic elements that can be useful in helping users to memorize them. A password that can be memorized is far more secure than one that can’t be and which is more likely to be written down and stuck to the display or under the keyboard.

The easiest way to generate a list of passwords is to enter the command with no options or arguments. The pwgen command can be used by any non-root user so it’s not necessary to escalate your privilege level to use. This creates a list of 160 passwords that contain only upper- and lowercase letters and numbers. You can see in the listing, that at least some of them can be easily memorized as they make some sort of sense. However, I expect that the ones that make sense to me may not be the same ones that do to you.

$ pwgen
ji5au4Au OiTa7yah aeNg3xie looCah1d auVa9hei eish4waF vaeJahm7 iy1DeeH4
xoo4oa8I Shei9aoX ami7OoDi un8ohMoo see6Uy6v zeS5eequ eez0Uixi iC1Thi6J
Seenai4S aiGasai4 OoZ2thae eik6oHee SoSah4er Um2tai5e Aquooyu1 taequ7Ba
die7Ahd3 naik7ahN OoQu7tho Me7shaez yah9ohSh jujaZi0u eiZoo4oh Eishoo6b
Aegap5oh Fahxu7et EiPh9quo is9Hoo0d Pohd3eiv kooreeL8 aiphae2J eeP8uphe
ahgh2Oqu ahSh5eew maifi4Iz uiRai7ah joap3EiG ajeePh1u zer9EiMe Ma4ohmee
Oolebah9 lai3ouWo Eu0chah6 ait5ooCo eg6Uo2Se TohZa6ee Ca5peich Aicoloo3
aiPooj9u aiqu9Aiw aiCahk0S Raing6oo uec6ooZu EiDui7xu veChai5R Queem6uv
yah3Aofo Jee4aeg4 SahSha1G ahBeepa0 aiWagoh3 vieviY3i Coonie0r ig0Sie1f
aifee9Sh ohs5Rie5 aeriZie3 Shi8eyee Yeu1ak1e reJe3Wai ahGee7ve Uij5me1U
Wohng6th uV2Doa6u oobah9Fu aelieTi9 begh0eSi oxae9uSh xooShei0 Ahy2oosh
uv5kooM7 zah3KaiT Oba9we0a du8aeNgu zieBohl1 ui5OhBee Pheiwoh7 gaiSeil5
Ofa8caec aiH0Lail Loh2eice wei9ooPh Ite1ooye Xohxeiz7 sooxeeY0 jahM0Iey
Zohjeu9L uo0Wai7u Ein4Thoh rieY7uz6 Pe2jeeph oLoo3OhW aeQuaeh0 Eev5ephe
sah5XooZ OhaiT0li al8oor8G iLie8goo Eethov9e chiew9Ei cax7bieW Iuthu0th
ic1Hie1i ief9Lima thaSh8oo yeem8Mah aT5augun zo2aeKut ohPha7ve aiHoh1Nu
thahTh5E hahgh4Je eiHaeB4i ooth3meT na4nooJi wiey7Wai Ba7YeiK7 Oorayac1
eiKeK6ij vaC4eer5 wuv7Liku ei6Iavae sah1UoCh Iex4Jeix jo5Ogh0e Buphei5w
tah6mohZ Pai8guQu aiy6Gei7 Ierei4ae gipeiHu4 geof2Cho Rie8eh3P io3euTh2
upaiw3To LohZoo9e ci7li0To uoWae9Hi iec7eiFa Phivil7Y OoQu9fuf cowahS7o

The man page suggests that, because these passwords can be memorized, they should be used only on hosts that you must log into via the keyboard. More complex passwords can be used in other places.

The default is for pwgen to generate passwords of eight characters, which seems to be the minimum most sites will allow. However, to be more secure, you can easily specify longer passwords using a single numeric argument.

$ pwgen 10
ieC6ahroov Awoy3iegoo eF4Haiz2zu bieH9xooCh WeedaCh2Ua ba2SaiGu3p soh3aiv0At
Yai0ieGo1t tieFeo3pai ohviDeaC6i tiokooD5ah vae1uZufee eem0lioRoh ohphaiVe5o
Ca5theehee Mahkoh4hei caj4Ohc6oa jieYo8taiz ebie1eeThu co0Ee8Ohse ieThah6vae
Nuu8ZaePhu paegh8Loex AeV9Hah8No Yahh5kaeSa ahBaech1bo chahKi7ohc oCh3eer8ei
shaiS1chah hie4Sho3ie cei0Aixaix pohp9saiDu nieW1wahja choon4Eid4 ana4zaXuch
ooDai0oche aid6Vahy2M yoof5eiShu de5shee6oW IeS1EeXo3c Iepaulei6l chaH6eeriv
ahJai3piim Airae0apoo WahD2loomo Ahj5mahlie Naihu9oasa doo7aGe9eh ue1Eagoe5a
Owei0yaing eZeem1mieb ooF8wahyie teiPus3uK3 evaxee8duF Ooch3Phaem geeth8OoPh
chee8UoCie za7fu4aiQu vohZ4kee8t akoh8eo5Pi Vooh9chosu Ki9iy2ohna Ail3queer7
ohph4aeWee iyahqu9ieG leich7Goqu phaeC3kagi ko2zooQuai shahmae2iS quogh1eiHe
aeSah2fah3 vo7phahTh5 ahn4aeRee4 fee5EeBoh5 cotaeGeaH0 TieGhae2ei Oumi5jiVei
Me6otei2bi eepe1Iesah teiQu7ujie ohmieVa3ee aex0yeiWoh Eebai7iey2 Bahw5ocogo
Uohuvaic7i aezo8sie8A oonaThah4o fahNge1ien Jooh6eiy8u po8Shuveez eet3Iethii
tha5Pee5po Uy9pojaqu6 aChieJ8cah Xohb2eigh2 wieFoo9rai xiapo1aiKu if7If4Yooj
eovo3Phu3x yei1ooKiec Mee6AiPiaJ ighieKoh2m eePh5Pu5ge rai3AhL6ag Iep6eegeem
PieH7iemei covohgho9B ej4jae7ohG reix7Ea0ci eegh7eiSha PongeJah1d Ek5uphahgu
EthuaPh4Ch toh3juuGha Eesh8ahtho meenga3Iel ieJ1ahxoob nohM3oen0m SiTeith9ah
woa7Tae4wa Eeneikae1e Eiroh7shah ping8ahSh2 peeG0xeuw8 EethuPhi3K eer6ohPie7
iKuow3phua oGaih7gohg ooGhae4nai ONie4aetha aiVu9Phiwu Ewe8bei0Ee AhZ4aeFaih
easahYo9oo Va9Oo0cuc7 veezei9Thu Waroopai8e Ahx1eeciBe xeph5On3Oh ee8nahYai8

A second argument can be used to specify the number of passwords to be generated. In this example, I’ve specified 20 passwords of 10 characters.

$ pwgen 10 20
aeh1ooWaes Oocheb4uv0 joh7ein6Ai shaiw2Fee0 iiP0VaiX2i tei9Ue5ohr ahquupoo4P
eePhieD9Hu NaKachu5ed mahph5Rait uu7Eekoh9s zohgohN3Ja zahsh5leuH Ip5dieyeir
sai0ez1Bai po9siuc3Ge Yoom8Vae4j ibee1eeQu3 Heughu6iet Oowomie7ai
dboth@essex:~$

Adding complexity

We all know that more complex passwords, those with more types of characters, are much more secure because they are less easily cracked. pwgen has two options for adding complexity. The first is the -y option which will cause pwgen to generate passwords with at least one special character.

$ pwgen -y
aeli!T2d ci6woh>D cou4Oe!v dee6ui>C fi#Kei1f zai;Y5Ze Aoyoo-w1 Sa|e7uji
anie`Te7 Lab1ahP` ocai}T5p Hu[i5en6 Ein6eed} ju.Shu5e Ui*shae8 ootee*X1
gai6Iex@ Vae5ahx{ AiCh?ai6 OhZ;uto0 Bai!Jah2 ZaM|ie5F uSh:ie5k eo"W2iof
wu3Sae_W Quo3Een; ba0Zah.d agi?qu6U ohB"u2Ee reiB_ax2 oop<ah0G iTh1ohn_
Zoo}Yao1 uZ1jiem` Aex3ieP) iu"V1vex eng9uLu< boX8ooM. ohwi%o6G ahgoh!C4
Phaf\oi7 ro4Eing. eY{iQu8o pi2No+Pa uLo9oot~ eequ8oS| ka@Ngo3y Ub!ohk5I
Tho_i&h8 qui"i9Cu eng9Un'e Ho<e9xeu Quoo5hu} ofai>M8a Ohz5rei" bai`See3
Ya>ix2Re eila?B3i Ief`e0ie li7Vei"K mie&L9Xe Thu6yah> Fee,ng8a rai8oG(a
aa4Ang@a Thur+oo8 poh4vo/V HeBo/a9z os;ooL6o Thae4do~ Po6Kae[d ca9die?C
loo~p6Ah gi\aPeo5 xoh6eeX{ Ohfa@v6T kai^Tie7 oe9oJ?oi ahB8Aj<a Ooth1pa@
ieHi:m6e No^ow0ch hoo~ch4S vi%o8Aih Uis2cei) ju4Joh=m oir9Ohh, fie(N6Sh
Oek5cae; Eiw<i9oh Kei8aip\ see3eeG] Ba[Qu0ie Zoo4ic)i reCai(p4 wi]u'R4a
UT0aiGh` eeL&ej6f rai)Y0ee sua^g1Sh ue6fa/K0 fiZ4dui. Aig9Zai+ xe0AJoo{
Quoh!Ch0 AhCai=r6 Xeix^o3A zae\X2me oChoo^V7 ooT(u0uR hae'K6ji iew'aeS0
guo3Aph' ar#a*M2k aib*e1Ie wu#Raez7 ai<c6Hee eD3jai"g Ahx-eek7 eir1Mae/
ni1Yu%yo so6go\Qu ce+uZ7ae Loh>h0Ko Oosi9Is~ Ies}ah9h Nei6kah- Aehi}m5J
eC*oo3ae rai0ahJ{ Iek:ei9u ji9Ahw$o ea(V0ahr veep9Se* iL%i7soh ocaJ;ae4
aci*J4oa uK9fiet@ OL@u]o8e Zey`oh4a cha,Y#a3 aek5Ti%t ieNg^ae6 aiP|oh0b
tu3pi.Se ahH9ieR~ ieD~ai8o Yae0Zoh[ hoo?Lo9e ahd2Uw}e Gah,r5aC faRo!j0u
ux9iGh}a wei?B4ah ahx,e3Mi eN5aesh& ugh5Di-m eth8aB=u Ce3OV|ae PhePe)f4

Based on the results above, the -y option generates passwords with one special character most of the time. I found three in the example output above that have more than one special character.

For even more secure passwords, ones that have no phonetic basis to help us humans to memorize them, the -s option creates the generated passwords to be completely random.

$ pwgen -s 10
tnhPqqgV6G Z1XpCsxVxn RlUsrgmcq9 2a3i0i30zU Ggmeg6d6LC msaYRtr4Bq c5p2mYB5NB
v543U0OU6r PCuVF8WOnA CzeenL9P7B Zb8EKKXl4Y lZ7jx1uX9w 7eJ0jsqpl9 s2hN43wLlX
59s9Gd4n3E uH85NXM7zJ s7kJSYifTD LHAJtQEu59 8MOM7GAgze RtVVcgGya3 rVCCiH41I7
we0odgDC2Z Q1pAAAYyKP 18pxJnQiKN lBot2KdyOp 3w83kXo1sP tEP4EGtzCH B5ViEDwpN5
wz4CVBxw1o qO5UK7wNw9 Zk0Jp4RQ4a 3y9P2QDti5 ose0QYKIKP eK4fp6Dyyf FTBUS3OcR7
t1FeciYpoq 3FO87fCGHo yuSpVuz0m5 nLVqDzK4LC DfJQ2Oh9d3 8H8X5mi0S3 LPw8V32Xcr
YQ7o70uS0r T8pkzNA0tE iMdWZk7ZYF MdCME7Evqy celVIke678 CJIF96pyYW 7QZtyXj2sr
iJ5u2hYNlY 0wPYtw3mcp VKTwU0D74t 6pECjdrdqb rKBWNNu8GT OiI577iDXD sN2IXoXwE9
9XBU1aEm8A 6RlxPH831J 01iuuZA2Cu MxNem1FQDT CF5LSmNoTy 2JV5R3xe3g AWlItRm8Wf
MQTh3YPEto OXc7fPp2EJ DwgkiY4TsH 151JCuN6S5 czpW58AE0L 5iRTTnFGGi UpmLCjuT0b
n0fpqJxuSW aHEvbNC6xj ZPtW4yhuOm ZHlTtsaWg0 Jj9vTGIsWK m6HxdIH7vF J4zoUZDeDe
0zu85mpZ0O MulnPh4qON YfJe8BH63z erO4vUkxIA 8BD7sriATB 59FlEXDw51 1IL6jrU4Y0
ZayKSqSB3k ezvips79Kw s0DvMgQ738 9yN2GwB5mT yijWZ1wBAw Tt8MRQDU9S hh5jn5fgGI
rIAa5iZ6tX IDEW1Gdf8t b3mPUGOeT5 1pLqXL6OxO EBA21olkat ryeyCv10qe bA9yOdst1U
iNYiWQSn4B 4t5rIZ334Z vfk5JSIwvp 47gNTnRC9I mW1HufjRp6 uRlgAyMK6T 1Z9e6kkBeA
tSh2HvfFEF jhshZkR24U 23UdM5Vby6 tl5F8TKsp7 WB41wfbT0d MAMh59XjdG CDnTYduk9C
FvYj96gETb rpbP4CzDA0 PSOoGv2n2j ts6E4jG9KV CVbI7qe7hG 5vpNgSlOjV qxfCBgXq41
JRx5UwL7Jf J6pLXYIWtK XouAzA7j3c s3px1ZorJo RjfVU4aQT8 y8KBdrY23E k54XAIG1NU
Wl8eNkIU6g qLNsPWJXP6 XOi6qbblHI bKK1a34fBx JB7U8ZDfDu DSnAbCrL3B ObhkkT71DF
Jyem2pkm0T QjW12oFCRF SshSF8Jr41 eUPm2p9ZTL fxqEC28uPw xlZhGwsFg2 jsaymEFkx2

For those times that call for extremely secure passwords, the -s option adds more special characters when used with the y option. And, of course, longer passwords are better.

$ pwgen -sy 25 50
&"GU[55~av}OxL0q^P*=aGT3z Lro[XpfEL:a@gR'E'LL;,8U+2 _:Jew'7#K$W$$E@E5-B/hjA6#
q$z!CbCf=9cVXC1N|ub?!-sw\ sg,bPMM#(9YZApb|%nhIE~pHE xPj68VJ`YR<aT!fU4hmW.A'b~
tz`/<2T_(YHiAIY^&P0R%#FAe ~<5Z_:eu)lee$;@^}S|\r/bgd J>]C<^~Xq-u:z8O5OyK="Cexc
joh,"O(X0&RmZ"t6A+#_yp[kr H2LR.()mU@/73~s0`>i}6IU+A 1kMBfpEnM@(?jaaMzG(pu,<~q
#=jPT:^s]KI`yLB([3AxjSzXq S*JhyAOsOo"fo$a9J?g`EUV*e '6-t4L]x\_$z{XLuRwu_"2B81
zMQ$6J7q+_<]r,&HrI\Jaa%&a %YJ$*}';T*"sF<-5*a8O)S27M 0Mahf0Aj&/N%IzEV_U0)!@bu^
<<$z54s_"1tpa'&XnT3*t9qxC Ghq*M{ylE?08c}<@^0A/4X[#K hJ}J|FkxC|%R',0C+S9WlLi;\
S~D&toGpC`JV-&;e35R\w#5Mn *HR4$Jp8:7>gr^apD%5NcHN/] `cj[lKhenrp5,,a#]|{hwS<Hm
4z=npiL$i-XX/}My\\A@u.x/% [6c5f~?E^A]pHVunlP~:J|2&B ^r*Juk^>clydh7Blpr|<lA&y6
vK$pE0?;s@%'p^<sWa5;)A6oP Qx!@0D51tg~Av}}Q(EZJr}>Tl r_IPm[#A%1mwmv0{`J|]cy3(E
=.M^%2DOYwe/-L\QC"Z8Gw@b! KlgEPvi?{q7=B[(_JQY,q?&v4 5/Sb.TiW)I^H><@1A~D(c[8sw
@6a&a!,o5O?z%\Hem]""rmm^\ KwSM{gbDC<E{zS#"AV15rUrKB J1wwYb/Qy@j|K0t$g^j6|gxoi
L;crF&Y9.+QgSdEgVjM|1e7gU QSwqY*p'FTgA7r)K^BaY`i;s6 L)Gf=&&=n)x5EVNx^Ipm*{}'a
qXXn8BOC3Wd9(&oWy"la7BO(e ,%Y8^e(^WqY2_AiJ&DAIhjQ$n zRG"j3ZBjod-1iBSMSI=Xod{+
qQ30(QW)X{CgI?NTPvBej~9dl X}dpEB"ArBU$QGTV1++`qEy@u _Y5l&$w/DmDMlpLo(NL;NBnh?
)=&%``8FV6a/*#:iKQo6b7@I_ kF|"1Fc6Q]YyZd/f{(cjyfTs< dho;F=mo&6wZJ<)6H3p;O%x:.
|"AlS2yqmoty'dIF<#)|s}C?j F0U$_sXAcN3`KyN%xoh^:{>cJ

Other options

pwgen has some additional options that allow modification to the composition of the passwords. For example, -v option prevents the use of vowels in the generated passwords. The -r option allows you to specify a list of characters that are not to be included in the passwords; this is handy if you want to prevent certain of the special characters from being used.

Finally, the -B option prevents use of characters that might be confuses, such as the letter O and the numeral 0.

Final thoughts

The pwgen utility is a handy tool for generating passwords for various use cases. It’s primary intention is to create passwords that are relatively easy for users to memorize, but it also has the capability to generate very long and complex passwords where a greater level of security is required.

I like the man page for pwgen because it gives a bit of advice about how to use the program and its results. Those admonitions should be considered.