bash generate secure password with no special characters

Question

I have a daily bash process that requires using a new password everyday.

To avoid dealing with special characters, I generate passwords using the MD5 of the product of two $RANDOM variables:

md5sum <<< $(($RANDOM * $RANDOM))

My idea is: since $RANDOM generates a random integer between 0 and 32,767, then generating two random ints and multiplying them increases the search space to 32,767^2 = 1,071,711,169

I am not a security expert, so I am curious if my approach is reasonably secure, if not, what are better approaches?

Answer 1

No, this is not reasonably secure. There are several problems:

• Bash uses a simple linear random number generator, so it's not strongly random
• Bash seeds this generator with the time of day and pid, so if you know roughly when a password was generated (even just the year) you already reduce your search space by a lot.
• Multiplying two numbers from 0..n does not give n^2 possibilities because 1*16 = 2*8 = 4*4 = 8 * 2 = 16*1. A quick program shows that for two numbers 0..32768, you have 232,483,839 possible products.
• Even if you fixed that and did get 1,071,711,169 possibilities, that's equivalent to just 5 alphanumeric characters, and could be cracked pretty quickly if anyone knew your password generation scheme.

Answer 2

A secure way to generate a password of any desired length, say 20 characters, and consisting only of alphanumeric characters is:

cat /dev/random | tr -dc '[:alnum:]' | head -c 20

If /dev/random is too slow for your taste, the following is fast and probably more than good enough:

cat /dev/urandom | tr -dc '[:alnum:]' | head -c 20

This has the advantages over md5sum because (a) it uses all alphabetic characters, not just a-f, and (b) it produces both upper and lower case.

For a discussion of the security and urandom vs random, see this post: "When to use /dev/random vs /dev/urandom".