forked from jbernard/pwgen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pwgen.1
149 lines (149 loc) · 4.86 KB
/
pwgen.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
.TH PWGEN 1 "January 2006" "pwgen version 2.05"
.SH NAME
pwgen \- generate pronounceable passwords
.SH SYNOPSIS
.B pwgen
[
.I OPTION
]
[
.I pw_length
]
[
.I num_pw
]
.SH DESCRIPTION
The
.B pwgen
program generates passwords which are designed to be easily memorized by
humans, while being as secure as possible. Human-memorable passwords
are never going to be as secure as completely completely random
passwords. In particular, passwords generated by
.B pwgen
without the
.B \-s
option should not be used in places where the password could be attacked
via an off-line brute-force attack. On the other hand, completely
randomly generated passwords have a tendency to be written down,
and are subject to being compromised in that fashion.
.PP
The
.B pwgen
program is designed
to be used both interactively, and in shell scripts. Hence,
its default behavior differs depending on whether the standard output
is a tty device or a pipe to another program. Used interactively,
.B pwgen
will display a screenful of passwords, allowing the user to pick a single
password, and then quickly erase the screen. This prevents someone from
being able to "shoulder surf" the user's chosen password.
.PP
When standard output (stdout) is not a tty,
.B pwgen
will only generate one password, as this tends to be much more convenient
for shell scripts, and in order to be
compatible with previous versions of this program.
.PP
In addition, for
backwards compatibility reasons, when stdout is not a tty and secure
password generation mode has not been requested,
.B pwgen
will generate less secure passwords, as
if the
.B \-0A
options had been passed to it on the command line. This can be
overriden using the
.B \-nc
options. In the future, the behavior when stdout is a tty may change, so
shell scripts using
.B pwgen
should explicitly specify the
.B \-nc
or
.B \-0A
options. The latter is not recommended for security reasons, since
such passwords are far too easy to guess.
.B
.SH OPTIONS
.TP
.B \-0, \--no-numerals
Don't include numbers in the generated passwords.
.TP
.B \-1
Print the generated passwords one per line.
.TP
.B \-A, \--no-capitalize
Don't bother to include any capital letters in the generated passwords.
.TP
.B \-a, --alt-phonics
This option doesn't do anything special; it is present only for
backwards compatibility.
.TP
.B \-B, --ambiguous
Don't use characters that could be confused by the user when printed,
such as 'l' and '1', or '0' or 'O'. This reduces the number of possible
passwords significantly, and as such reduces the quality of the
passwords. It may be useful for users who have bad vision, but in
general use of this option is not recommended.
.TP
.B \-c, --capitalize
Include at least one capital letter in the password. This is the default
if the standard output is a tty device.
.TP
.B \-C
Print the generated passwords in columns. This is the default if the
standard output is a tty device.
.TP
.B \-N, --num-passwords=\fInum
Generate
.I num
passwords. This defaults to a screenful if passwords are
printed by columns, and one password.
.TP
.B \-n, --numerals
Include at least one number in the password. This is the default
if the standard output is a tty device.
.TP
.B \-H, --sha1=\fI/path/to/file[#seed]
Will use the sha1's hash of given file and the optional seed to create
password. It will allow you to compute the same password later,
if you remember the file, seed, and pwgen's options used.
ie: pwgen -H ~/your_favorite.mp3#your@email.com gives
a list of possibles passwords for your pop3 account, and you can
ask this list again and again.
.IP
.B WARNING:
The passwords generated using this option are not very random. If you use
this option, make sure the attacker can not obtain a copy of the file.
Also, note that the name of the file may be easily available from the
~/.history or ~/.bash_history file.
.TP
.B \-h, --help
Print a help message.
.TP
.B \-s, --secure
Generate completely random, hard-to-memorize passwords. These should
only be used for machine passwords, since otherwise it's almost
guaranteed that users will simply write the password on a piece of
paper taped to the monitor...
.TP
.B \-v, --no-vowels
Generate random passwords that do not contain vowels or numbers that
might be mistaken for vowels. It provides less secure passwords to
allow system administrators to not have to worry with random passwords
accidentally contain offensive substrings.
.TP
.B \-y, --symbols
Include at least one special character in the password.
.SH AUTHOR
This version of
.B pwgen
was written by Theodore Ts'o <tytso@alum.mit.edu>.
It is modelled after a program
originally written by Brandon S. Allbery, and then
later extensively modified by Olaf Titz, Jim Lynch, and others.
It was rewritten from scratch by Theodore Ts'o because the original program
was somewhat of a hack, and thus hard to maintain, and because
the licensing status of the program was unclear.
.SH SEE ALSO
.BR passwd (1)