Generating Secure Passwords for your Linux Server

Very often I have to setup new servers or harden existing servers during security audits. As a result, secure passwords have to be chosen for root, cPanel accounts, etc. There are many composite practices that make a server secure, but often overlooked is using secure passwords.

How Secure Is My Password

Notice I didn’t list SSH or MySQL passwords. This is because if you are serious about security these should not even be accessible via remote password login! For SSH, you should already be using authentication keys and set PermitRootLogin no in your ssh config. For MySQL you should use skip-networking if MySQL is on the same server to connect via socket or use bind-address= to restrict MySQL connections to the IP/hostname of the web server. Or use IPtables to allow specific multiple IP addresses. That said, using secure passwords for MySQL is still recommended.

Now for selecting secure passwords, here’s what I recommend:

  • Passwords should be at LEAST 10 characters in length.
  • Include letters (mixed case), numbers and special characters.

If you are using Linux, you can use the urandom command to generate secure passwords:

Recommended urandom

< /dev/urandom tr -dc '[:graph:]' | head -c16;echo;

Right-hand only urandom

< /dev/urandom tr -dc '67890^*_+-=;:,.?yuiopYUIOPhjklHJKLbnmBNM' | head -c16;echo;

Left-hand only urandom

< /dev/urandom tr -dc '12345!@#$%qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c16;echo;

Making this into a simple easy to remember command

      1. Edit your bashrc
        vi ~/.bashrc
      2. Add this line:
        spw(){ insert one of the above options here }


        spw(){ < /dev/urandom tr -dc '[:graph:]' | head -c16;echo; }
      3. Save and restart server or even better just reload bash using:
        source ~/.bash_profile
      4. Now in future just type the following to generate a secure password:

spwOn the left is a screen-crop of the output. Now, there’s also a free secure password service that you can use to generate strong passwords. Its the Secure Password Generator. Make sure to check all the “include” options and set length to 10 characters or more, then click generate and viola, you have created extremely secure passwords for copy and paste.

Of course this method applies beyond just Linux and using any of the above 16 character methods, it would take trillions of years to crack your password! This is why a strong password is VERY important. There are other linux commands that use openssl, dd and date to generate passwords, but urandom is my prefered method. Feel free to add your methods below.

Generating Secure Passwords for your Linux Server

15 Responses

  1. How would you recommend one store or remember these passwords? Personally I tell people never ever ever ever ever ever ever ever ever write/store your password anywhere in plain-text. Personally I use lastpass but my passwords are typically a series of random strings I have memorized and I use these strings in different orders on different sites. I also recommend using passwords that do not make up words as this alone makes brute-forcing much more difficult.

    Jason May 10, 2013 at 10:50 pm #
  2. Hi Jason, good question. I use KeyPassX ( for storing passwords. It even has a built in password generator. But typing securepw (can even shorten it to spw) is still faster. It works on Linux, Mac & Windows.

    @hydnj May 11, 2013 at 3:29 pm #
  3. In the recommended version I had to escape (insert a backslash) the ! character to avoid an error saying
    -bash: !@#$%qwertQWERTasdfgASDFGzxcvbZXCVB”: event not found

    Dazed_75 May 11, 2013 at 6:02 pm #
    • Thanks! I made a change today that must have broken it. I’ve fixed again.

      @hydnj May 11, 2013 at 6:26 pm #
  4. pwgen is one of the most used tools for generating passwords.

    RoseHosting May 12, 2013 at 2:53 am #
    • yes simple and easy to use.

      James August 25, 2016 at 8:19 am #
  5. You can use a character class with tr to simplify the command. The following will include all printable characters except space:
    tr -dc '[:graph:]'

    Or you could just use pwgen instead of rolling your own generator.

    Vance May 12, 2013 at 6:06 am #
  6. Thanks @Vance. Making that change now.

    Yes pwgen can be used. By default it does not include special characters and only 8 characters in length. To change this just add:
    pwgen -s -y 16 1

    @hydnj May 12, 2013 at 6:39 am #
  7. I have to create random passwords all the time, so I use sites like to help me. It’s generated client-side, so you don’t have to worry about your password being sent over the wire.

    Joel May 15, 2013 at 6:32 pm #
    • Seems like an ok site but I would prefer if it was https.

      @hydnj May 16, 2013 at 7:00 pm #
  8. Agreed, especially if it generated passwords server-side and then sent them to your browser, like this popular password generator does: (it’s insanely popular, and doesn’t transfer via HTTPS).

    However, since it’s client-side, I can’t understand why HTTPS would make it better, except to make non-techy folks feel “safer”.

    Joel May 16, 2013 at 7:19 pm #
    • That solution (the https version) is already linked to within my blog post above:

      As quoted from the non https version you linked to: “To create a password please choose from the options below and click Generate Password(s) or click here to use the SSL secured version of the generator.”

      So there’s options for everyone’s preference… techy and non-techy.

      @hydnj May 16, 2013 at 7:24 pm #
  9. Aha! Had never seen that option before. :)

    Joel May 16, 2013 at 7:26 pm #
  1. Links 13/5/2013: New Linux/Open Source Documentary, Lots More About International Space Station | Techrights - May 13, 2013

    […] Generating Secure Passwords for your Linux Server […]

  2. The Sony Hack: An Inside Job. Here's why... - Hayden James - January 3, 2015

    […] Use difficult passwords (change them regularly). […]

Leave a Reply