Today I learned pwgen is not secure by default

by on May 29, 2022
  • linux
  • security
  • technical

Command-line tool pwgen is a well known tool to generate a list of passwords. I use it almost daily: when creating new accounts on remote servers, or when I want to encrypt sensitive data with a temporary password to send to a customer. Sometimes opening my terminal and typing pwgen 30 1 is faster than getting to the generator in my password manager1.

I had noticed before that the passwords generated by pwgen seemed to contain patterns: repeating vowels is something that stands out. I handn’t thought about it much2, until I saw a colleague type pwgen -s at his terminal.

What is this -s?

As with most unix-y tools, a quick glance at the man page tells us everything we want to know. The -s is shorthand for --secure:

Generate completely random, hard-to-memorize passwords. These should only be used for machine passwords, since otherwise it’s almost guaranteed that users will simply write the password on a piece of paper taped to the monitor…

As it turns out, pwgen actually doesn’t generate secure passwords by default. The passwords it generates are designed to be easily memorized. That explains the patterns I noticed before!

  1. KeepassXC is a great password manager with local storage. ↩︎

  2. I should have checked the man page right away: patterns are a red flag in cryptography. ↩︎