Generating Secure Passwords for your Linux Server

During security audits, sysadmins will often have to set up new servers or harden existing server passwords. As a result, secure passwords have to be chosen for SFTP, admin panels, etc.

Many practices make a server secure, but often neglected is using secure passwords.

Notice that I didn’t include SSH or MySQL root passwords above. If you are serious about security, these should not be accessible via a remote password login.

For SSH, you should already use authentication keys and set PasswordAuthentication no in your SSHD config file.

For MySQL, you should use skip-networking bind-address = and iptables to block port 3306 or restrict access to specific IP(s). If MySQL is on the same server, connect via sockets.

pwgen example


Generating secure passwords

For selecting secure passwords, here’s what is recommended:

  • Passwords should be at LEAST 10 16 characters in length.
  • Include letters (mixed case), numbers, and special characters.


Using pwgen to generate a secure password

Here’s my go-to command-line method for secure password generation. The command I use is:

pwgen -y 32

Even more secure and easy to remember using the word ‘sync’:

pwgen -sync 16

Read more about pwgen. On most Linux distros, you can install pwgen using the systems package manager. For example:

apt install pwgen


dnf install pwgen

Once installed, here’s an explanation of the command I’m using above. You can fine-tune it to meet your needs.

-s, –secure: Generate completely random, hard-to-memorize passwords.

-y, –symbols: Include at least one special character in the password.

-n, –numerals: Include at least one number in the password.

-c, –capitalize: Include at least one capital letter in the password.

16: the length of generated passwords.

Need fewer generated passwords? Use pwgen -sync 16 1 where 1 = the number of password results.


Using ‘pass’ to generate a secure password

With pass, each password lives inside a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command-line file management utilities. Thus, pass is also a command-line password manager.


This is an updated article from 2013. Here’s the previous method from the original article…

Use the urandom command to generate secure passwords

Recommended urandom

< /dev/urandom tr -dc '[:graph:]' | head -c16;echo;

Right-hand only urandom

< /dev/urandom tr -dc '67890^*_+-=;:,.?yuiopYUIOPhjklHJKLbnmBNM' | head -c16;echo;

Left-hand only urandom

< /dev/urandom tr -dc '12345!@#$%qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c16;echo;

Making this into a simple easy to remember command

Edit your bashrc

vi ~/.bashrc

Add this line:

spw(){ insert one of the above options here }


spw(){ < /dev/urandom tr -dc '[:graph:]' | head -c16;echo; }

Save and restart the server, or even better, reload bash using:

source ~/.bash_profile

Now in the future, type the following to generate a secure password:



It would take trillions of years to crack your password using these methods. This is why a strong password is essential.

How Secure Is My Password

Other Linux commands use OpenSSL, dd, and date to generate passwords, but urandom pwgen is my preferred method. Feel free to add your methods below.

Also, remember you should have security to avoid brute force password cracking. For example, after five failed attempts, the IP should be blocked and reported (for example,

More on how I set up that in a later article.


Published: November 23rd, 2013
Last updated: January 30th, 2023

Tags: , ,


  1. What perfect timing to be seeing this on the forum. I am getting ready to start my first Linux based server so this is handy to know. Security is super important, as we all know and setting it up right for a server is crucial. Are there any other sources you can link me to for setting up a Linux server for the first time?

  2. I still haven’t got behind using authentication keys for SSH yet. If I lose the key, I’m permanently locked out aren’t I? It seems a complex password is a better choice. I also use MFA to protect SSH which seems to be as good as security can get. Definitely open to being shown that I am wrong, definitely no expert here.

Top ↑