Password Management

For Generating password hashes, see password.hashes

Password management is a critical role for any sysadmin. These four functions can help you with password management. They will work in both ksh and bash on openbsd or linux.

NOTE: jot isn't installed by default in Debian Linux. Run this to install it:

apt install athena-jot

NOTE: this is an older version of jot then used in OpenBSD. It doesn't work as expected when combining -r -c to -rc so the code below was modified to be compatible with both.

Append these lines at the end of ~/.profile:

# Generates a new random password 80 chars in length
function newpass {
       jot -r -c -s '' 80 33 127

# Generates a new alphanumeric password 80 chars in length
function alnumpass {
        cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w ${1:-80} | head -n 1

# Pages through all your passwords
function getpass {
        openssl aes-256-cbc -d -a -in $HOME/password.asc | less

# Writes all your passwords to ~/password
function allpass {
        openssl aes-256-cbc -d -a -in $HOME/password.asc -out $HOME/password

# Takes your passwords in ~/password, encrypts them, then overwrites password.asc
function savepass {
        openssl aes-256-cbc -a -in $HOME/password -out $HOME/password.asc && rm -P $HOME/password
	cp $HOME/password.asc $HOME/password.asc.`date "+%Y%m%d"`


To use the functions, first source the file:

$ . ~/.profile

Type this to view the defined functions

$ functions

Type the function in the command line:

$ newpass


newpass and alnumpass generate passwords and print them to the screen. The specifics are left to the reader to decode from the commands. Hint: they generate 80 character passwords. Adjust according to your needs.

The remaining functions manage encrypting, decrypting, and displaying a password file using openssl. To use it, first create a file called password in your home directory.

$ vi ~/password

Put what you want in this file. There is no set format. Once you're finished editing it, run this to encrypt it.

$ savepass
enter aes-256-cbc encryption password:

Enter the password you wish to encrypt the file with at the prompt. It will encypt the file to ~/password.asc and create a dated backup file ~/password.asc.<date>. It also deletes ~/password.

To view the contents of your password file type this:

$ getpass

This decrypts the ~/password.asc file and pipes the output to less for viewing on the screen. It isn't obvious, but you are being prompted for the password to decrypt the file. Your input wont be shown on the screen. If you get it right, you'll see the contents of the file, if you get it wrong, you'll see encoded gibberish. It doesn't create a decrypted version of the password file either way. Hit q and enter to quit.

To edit the password file type the following:

$ allpass

This decryptes the file to ~/password so you can edit it's contents. Remember to savepass again when finished to encrypt the updated file and remove the decrypted version.