Very Bad Password Advice

This post on How-To-Geek about generating passwords from the command line advocates generating passwords from the current date and time.


The first command they give is (note double fail: base64-encoding hex):

 date +%s | sha256sum | base64 | head -c 32 ; echo  

They do provide a command that gives a good alphanumeric password:

 tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1  

 However, they also mention this one:

 date | md5sum  

 About the above command, they say, "I'm sure that some people will complain that it’s not as random as some of the other options, but honestly, it’s random enough if you’re going to be using the whole thing." That is absolutely wrong and demonstrates a complete lack of understanding what a hash function is.

Lessons Learned:

• Hashing does not add randomness. The output of a hash is as random as its input.
• Use a cryptographically-secure random number generator to generate passwords.