PWGEN Command-Line Guide — Options, Examples, and Best Practicespwgen is a lightweight, widely available command-line utility for generating passwords. It’s designed to quickly produce pronounceable, random, or policy-compliant passwords for interactive use, scripts, or automation. This guide covers installation, command-line options, practical examples, integration tips, and security best practices so you can choose the right options for different scenarios.
What pwgen does and when to use it
pwgen generates passwords using configurable character sets, length, and output formatting. It’s useful when you need:
- Quick interactive passwords for accounts or test systems.
- Bulk password generation for provisioning users or devices.
- Scripted secrets creation in automation pipelines (with care for secrecy).
- Easily readable, pronounceable passwords when memorability matters.
pwgen trades off perfect entropy for usability in some modes (e.g., pronounceable passwords). Know when to prefer a full-entropy generator (like /dev/urandom-based tools or a cryptographic library) vs. a convenience tool like pwgen.
Installation
On common Linux distributions, pwgen is typically available from package repositories:
-
Debian/Ubuntu:
sudo apt update sudo apt install pwgen -
Fedora:
sudo dnf install pwgen -
Arch Linux:
sudo pacman -S pwgen -
macOS (Homebrew):
brew install pwgen
For systems without a package, you can download source from the project repository and build it with the standard ./configure && make && sudo make install steps.
Basic usage and syntax
The basic pwgen invocation is:
pwgen [OPTIONS] [pw_length] [num_passwords] - pw_length: desired length of each password (default varies; typical default is 8).
- num_passwords: number of passwords to output (default 1 or multiple depending on version).
Example:
pwgen 12 5 Generates five 12-character passwords.
Important command-line options
-
-s, –secure
Generate completely random, hard-to-memorize passwords (uses stronger randomness and avoids pronounceable patterns). Use for high-security secrets. -
-y
Include at least one special character (punctuation) in passwords. -
-1
Force one password per line (useful for scripting and piping). -
-B
Avoid ambiguous characters like ‘0’, ‘O’, ‘l’, ‘1’, and ‘I’ (reduces confusion when reading or transcribing). -
-v
Generate “Vowel/Consonant” style (pronounceable) passwords — the default behavior in many builds. -
-A
Avoid capital letters. -
-n
Include digits (numbers) in the generated passwords. -
-C
Capitalize the first letter of each password. -
-h, –help
Show help and exit.
Note: exact flags can vary slightly by pwgen version/distribution; check man pwgen on your system.
Examples
-
Quick pronounceable passwords (default style):
pwgen 10 5Output: five 10-character, easy-to-type/pronounce passwords.
-
Strong, non-pronounceable passwords suitable for databases or API keys:
pwgen -s 20 3Generates three 20-character high-entropy passwords.
-
Ensure special characters are present:
pwgen -s -y 16 4Generates four 16-char secure passwords with punctuation.
-
One-per-line for scripting:
pwgen -1 -s 32 1Outputs a single 32-character secure password on its own line.
-
Avoid ambiguous characters for printing on labels:
pwgen -B 12 10Generates ten 12-character passwords without confusing glyphs.
-
Use in a script to create user credentials (example):
USERPASS=$(pwgen -s 14 1) useradd -m alice echo "alice:$USERPASS" | chpasswdStore or transmit USERPASS securely — do not log or expose in process lists.
Integrating pwgen in automation and DevOps
- Generate secrets at provisioning time and write directly into secure secret stores (HashiCorp Vault, AWS Secrets Manager, Kubernetes Secrets) rather than plaintext files.
- For ephemeral secrets in CI pipelines, use environment variables carefully and scrub logs.
- Use one-per-line (-1) and avoid interactive terminal output when writing to files.
- Prefer pwgen -s for automation that requires cryptographic-level randomness.
Example: store a generated password in HashiCorp Vault (illustrative):
NEW_PASS=$(pwgen -s 24 1) vault kv put secret/db-creds username=dbuser password="$NEW_PASS" Entropy and security considerations
- Pronounceable passwords produced by pwgen (default) are easier to remember but have lower entropy than uniformly random strings. For high-security needs (TLS keys, root passwords, database secrets), use -s to get stronger randomness.
- pwgen typically sources randomness from the system CSPRNG; however, behavior can vary by version. When in doubt, verify that it uses /dev/urandom or platform CSPRNG.
- Avoid embedding generated passwords in logs, command histories, or publicly readable files. Use secure storage and strict file permissions (e.g., chmod 600).
- Minimize exposure in process listings: some shells allow hiding arguments; better to read password from stdin or use variable assignment where possible.
Common pitfalls and how to avoid them
- Accidentally committing generated passwords to version control — always add secrets to .gitignore and use dedicated secret management.
- Relying on pronounceable defaults for high-value accounts — switch to secure mode (-s) when entropy matters.
- Echoing passwords in shared terminals or CI logs — redact or silence output.
- Using short passwords — choose length based on threat model; 16+ characters is a practical baseline for many services.
Examples of policy-driven generation
If you need passwords that meet policy rules (length, digits, punctuation, uppercase), combine pwgen flags, then validate in script:
pwgen -s -1 16 1 | grep -Eq '[A-Z]' && echo "OK" || echo "Missing uppercase" For stricter control, generate and post-process:
pwgen -s 16 5 | while read p; do if [[ "$p" =~ [A-Z] ]] && [[ "$p" =~ [0-9] ]] && [[ "$p" =~ [[:punct:]] ]]; then echo "$p" break fi done Alternatives and when to use them
- Use system CSPRNG-backed tools (openssl rand -base64, /dev/urandom readers, or libsodium-based utilities) for cryptographic keys.
- Password managers (Bitwarden, 1Password, KeePassXC) are preferable for human-managed accounts because they handle storage, rotation, and syncing.
- Use pwgen when you need quick, local generation and you control secure storage.
Comparison table:
| Tool | Best for | Strengths | Weaknesses |
|---|---|---|---|
| pwgen | Quick password generation | Fast, flexible, pronounceable options | Pronounceable mode lower entropy by default |
| openssl rand | High-entropy random strings | Strong randomness, widely available | Requires encoding/formatting |
| /dev/urandom + scripting | Custom entropy needs | Full control, high entropy | More complex to script safely |
| Password managers | Human account management | Secure storage & rotation | Requires trust in provider, setup overhead |
Practical checklist before using generated passwords
- Use secure mode (-s) for high-value secrets.
- Choose sufficient length (16+ for most sensitive uses).
- Avoid printing to logs or history; write directly to secure stores.
- Rotate credentials periodically and after suspected exposure.
- Use unique passwords per service; never reuse.
Conclusion
pwgen is a pragmatic, fast tool for generating passwords from the command line. For routine, low-to-moderate sensitivity uses, its pronounceable defaults make life easier; for high-security needs, use the secure (-s) option and integrate output with secret management systems. Combine pwgen with careful handling practices (no logs, secure storage, adequate length) and it’ll serve reliably in both interactive and automated workflows.
Leave a Reply