Yet Another Random Password Generator (YARPG) – a Python Tool

February 8, 2016 | Anne Henmi

Password.

Just saying "password" will cause most information security professionals heartburn, and users will roll their eyes.

Even in the movies, bad passwords are a joke:

"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!" - Dark Helmet, from the 1987 comedy, Spaceballs.

With more websites requiring logins and passwords, it's cumbersome to keep track of all of them and even harder not to use something simple. This has opened a market for password managers such as KeePass, LastPass, and 1Password. These websites are great, and some of the password managers even have their own password generators and can be hosted locally instead of on the cloud.

That solves the problem of having multiple passwords stored in a central location. But what if you're really paranoid and do not trust having your passwords online or stored in their application or mobile app?

There are some password generators like Automated Password Generator (apg) that are available as Linux and BSD packages. The Linux apg is not to be confused with a Windows only random password generator called "Awesome Password Generator."

Both password generators use different types of algorithms, pick varying strengths, and have different options.

Being an information security professional, I err more on the side of paranoia. I wanted something simpler that uses a secure random seed and is portable. Also, I store my passwords in an encrypted local file to keep it off the cloud in case the cloud storage is compromised.

Using the Linux apg as a guide, I wrote Yet Another Random Password Generator (YARPG), which is a command line tool that uses a couple of basic options (type, number of passwords, password length) to create a password with a secure random seed. This is written in Python, so it should run with any system that has a Python (version 2.7 or later) interpreter installed. YARPG is open source, using the BSD license available in the YARPG GitHub repository.

python

YARPG uses the secure random function os.urandom() which should make the password generated cryptographically secure. If you're interested in the details of the function, see https://docs.python.org/2/library/os.html#os.urandom and https://docs.python.org/2/library/random.html#random.SystemRandom.

After you have it downloaded, you will be able to run the command:

$ python yarpg.py -h

This displays the usage and the default:

usage: yarpg.py -L pwlength -n numberofpw -t type
Default number of passwords: 3
Default length of each password: 15 characters
Default password type: complex

The default password length of 15 characters makes this more secure as many passwords require anywhere from 6-8 characters at minimum, and 15 character long passwords usually will not trigger a "this password is too long" error. Believe it or not, there are still many systems that require shorter passwords.

You have the option of defining a password length of 1 character to as large as your system can handle or however long you're willing to wait for the password(s) to generate.

Since passwords on some websites have limitations of alphanumeric passwords and do not support the use of special characters, YARPG can produce two different password types:

  • Alphanumeric: This uses only upper and lower case letters and numbers
  • Complex: This uses alphanumeric characters and special characters

For those who want to generate both alphanumeric and complex passwords at the same time, you can give YARPG the type both.

Examples

Here are a few examples of how easy YARPG is to use. Note that I’m not using any of these passwords, and neither should you.

If you want to generate the default of 3 complex passwords that are 15 characters, run yarpg.py without any options:

$ python yarpg.py
Complex Password #1: *n+M>(3z~4wk`%<
Complex Password #2: V-lC.=|Qi,sC{?K
Complex Password #3: KvfMaB+|Sdx=PA|

Generate 5 alphanumeric and complex passwords with the default 15 character length:

$ python yarpg.py -n 5 -t both
Alphanumeric Password #1: VPn2VAlolLXmSTf
Complex Password #1: T-rqBkjO:aI=oq
Alphanumeric Password #2: cJh9NIYhFmHrVMP
Complex Password #2: JnZUKtKu.=v3?t)
Alphanumeric Password #3: fLrIHVCPKqBJayj
Complex Password #3: iB0)x;]l*>W3(Zb
Alphanumeric Password #4: gk530W9uKPcWpUN
Complex Password #4: t1kfX{srM-ERd,^
Alphanumeric Password #5: 7Pf8EFTJ5UQ6IEJ
Complex Password #5: kdy"V-<pP)N^.!U

Generate one alphanumeric password that's 10 characters long:

$ python yarpg.py -n 1 -t alpha -L 10
Alphanumeric Password #1: 8QTVr9nPIv

Generate 10 complex passwords with 30 characters:

$ python yarpg.py -n 10 -L 30
Complex Password #1: }&M$cFNWlxqcG$]zHX$t_:OVlE6mJK
Complex Password #2: R+%9b2b1PQl!RyBo{j+BDeNX&EoFPw
Complex Password #3: <LyQh"sK+'yL;zi"gKlx|?z$.I1Jw
Complex Password #4: F|>>O_yZiyi^Y:CS=lLAG,%4c+[+J_
Complex Password #5: $JX|rY.oa[pp2!<a)PfO~Kvg3bm>fd
Complex Password #6: KR9Ru"_aLr#>Yd4_z=EBp2XfTLxIll
Complex Password #7: ,Md>pFpVE9nK9o}m6b>Mp3okPx4$v
Complex Password #8: For)@_e:6Se^&/Jk~s98,WC&<Zef
Complex Password #9: |ZQK-d5ICLE#h|(u`wec*t"[email protected]
Complex Password #10: 753JE"k+!ZmMGidf<zSLxs(fF#a59b

Remember to copy your passwords to a secure storage site - either a cloud-based password manager or a local encrypted storage (not a sticky note placed for everyone to see), so you can access them later.

If you have any feedback on how to improve the functionality of YARPG or any bugs, please let me know through my GitHub account. YARPG has been tested on Mac OS X 10.11, Debian Linux, OpenBSD, and Windows 7.

Anne Henmi

About the Author: Anne Henmi

Like most infosec types, Anne Henmi prefers to keep a low profile, as she is usually heads down designing AlienVault’s training materials. After she experienced information security operations, product security engineering, and various positions in IT security, Anne has decided to stick with the technical education side of information security while occasionally building new tools to help make security easier for others. In personal time, Anne builds LEGO sculptures.

Read more posts from Anne Henmi ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial