# generate password containing ASCII characters without spaces (96 possible characters)
strings -n 1 < /dev/urandom | tr -d '[:space:]' | head -c15
# generate base64 password (64 possible characters)
openssl rand -base64 15


see also: KeePassXC

A key derivation system is a method where you use a function to generate a password for a service based on the name or URL of said service and a master password.

Your key can still become compromised, only that the secrets it protects are not even encrypted. If you have one password for one service and know the method of key generation, you can even derive passwords for other services. The only difference is that you don't know the usernames for these services and which services exactly you use, but it's not that hard to find out the emails you usually use or try out services.

And each website can have its password lost, you have to increment some salt and then it gets confusing – where do you store the salt? Do you store it at all? What number do you have to use for that obscure service you only use once every few months? Do you even have an account with that site?

There are many benefits of a password manager and if you use a keyfile, a strong password and secure (as in: reasonably tamper-proof) systems, a regular password manager is just as secure or even more so than your key derivation type password managers.

  • Last modified: 2020-04-18 19:51