pwgen is a well known tool to generate a list of passwords. I use it almost daily: when creating new accounts on remote servers, or when I want to encrypt sensitive data with a temporary password to send to a customer. Sometimes opening my terminal and typing
pwgen 30 1 is faster than getting to the generator in my password manager1.
I had noticed before that the passwords generated by
pwgen seemed to contain patterns: repeating vowels is something that stands out. I handn’t thought about it much2, until I saw a colleague type
pwgen -s at his terminal.
What is this
As with most unix-y tools, a quick glance at the man page tells us everything we want to know. The
-s is shorthand for
Generate completely random, hard-to-memorize passwords. These should only be used for machine passwords, since otherwise it’s almost guaranteed that users will simply write the password on a piece of paper taped to the monitor…
As it turns out,
pwgen actually doesn’t generate secure passwords by default. The passwords it generates are designed to be easily memorized. That explains the patterns I noticed before!