Generate a random password
Produce a strong random password from the command line — cryptographic-quality, not `$RANDOM`.
How to generate a random password in each shell
Bashunix
openssl rand -base64 24Zshunix
openssl rand -base64 24Fishunix
openssl rand -base64 24PowerShellwindows
-join ((48..57) + (65..90) + (97..122) + (33..47) | Get-Random -Count 24 | ForEach-Object {[char]$_})`Get-Random` (pwsh 5.1) is **NOT cryptographically secure** — it seeds from system clock by default. For real password generation use `[System.Security.Cryptography.RandomNumberGenerator]::Fill($bytes)` on pwsh 6+ or `[System.Web.Security.Membership]::GeneratePassword(24, 6)` on 5.1 (requires `Add-Type -AssemblyName System.Web`).
cmd.exewindows
powershell -NoProfile -Command "-join ((48..57) + (65..90) + (97..122) + (33..47) | Get-Random -Count 24 | ForEach-Object {[char]$_})"Equivalents listed for Bash, Zsh, Fish, PowerShell, cmd.exe.
Gotchas & notes
- bash `$RANDOM` is a 15-bit PRNG (0–32767), seeded from PID + clock at shell startup. It is **NOT cryptographic** — given the seed (which a local attacker can often infer) the entire sequence is reproducible. NEVER use `$RANDOM` for passwords, tokens, salts, or any value an attacker shouldn't guess. The cryptographic sources are `/dev/urandom` (Linux/macOS), `openssl rand` (cross-platform via openssl), and `RandomNumberGenerator` (.NET).
- Charset-controlled fixed-length: `tr -dc 'A-Za-z0-9!@#$%^&*' < /dev/urandom | head -c 24; echo`. `-dc` is `--delete-complement` — keeps only the listed chars. `LC_ALL=C` matters: on a UTF-8 locale `tr` can misinterpret high bytes; `LC_ALL=C tr ...` forces byte-level treatment and avoids `tr: Illegal byte sequence` on macOS BSD.
- pwsh 5.1 vs 6+ split: `[System.Web.Security.Membership]::GeneratePassword(LENGTH, MIN_NON_ALPHA)` returns a string and is cryptographic, but `System.Web` isn't loaded by default on 5.1 (`Add-Type -AssemblyName System.Web` first) and is deprecated on .NET Core / pwsh 7+. The modern path: `[byte[]]$b = ,0 * 24; [Security.Cryptography.RandomNumberGenerator]::Fill($b); [Convert]::ToBase64String($b)`.
- Entropy: a 24-byte (192-bit) random password base64-encoded is 32 printable chars, comfortably above any password-cracking horizon. If you need a memorable variant (passphrase), use `diceware` / `pwgen -B 0 -n 0 -y 1 -c -s 4` (4 random words from a list). Avoid the `correcthorsebatterystaple` pattern unless words are drawn from a vetted list of ≥ 7776 (the EFF wordlist) with truly random selection — `xkcd 936` requires ~5 words for typical strength.
Related commands
Related tasks
- Generate a random number— Pick a random integer in a range — useful for sampling, sleep jitter, or simulation seeds.
- Generate a random string— Produce a fixed-length random ASCII string — useful for tokens, slugs, file suffixes, and test fixtures.
- Generate a UUID— Mint a random version-4 UUID (or, when ordering matters, a time-sortable UUIDv7) — for primary keys, idempotency tokens, request IDs, and any place a globally-unique identifier is needed without coordinating with a central allocator.
- Hash a file— Compute a cryptographic checksum (SHA-256 by default, MD5 / SHA-1 for legacy interop) of a file's bytes — for verifying downloads, deduplicating, comparing against a published manifest, or generating cache-bust keys.