Skip to main content

Password Generation

The generate command creates cryptographically secure random passwords using Go's crypto/rand package.

Prerequisites

Basic Usage

secretctl generate [flags]

Default Password

Generate a 24-character password with all character types:

secretctl generate

Output:

x9K#mP2!nQ7@wR4$tY6&jL

The default password includes:

  • Lowercase letters (a-z)
  • Uppercase letters (A-Z)
  • Numbers (0-9)
  • Symbols (!@#$%^&*()_+-=[]{}|;:,.<>?)

Command Options

FlagShortDescriptionDefault
--length-lPassword length (8-256)24
--count-nNumber of passwords (1-100)1
--no-symbolsExclude symbolsfalse
--no-numbersExclude numbersfalse
--no-uppercaseExclude uppercasefalse
--no-lowercaseExclude lowercasefalse
--excludeCharacters to exclude""
--copy-cCopy to clipboardfalse

Customizing Password Length

Longer Passwords

# 32-character password for high-security use
secretctl generate -l 32

# 64-character password for encryption keys
secretctl generate -l 64

Shorter Passwords

# Minimum 8-character password
secretctl generate -l 8
caution

Passwords shorter than 16 characters may be vulnerable to brute-force attacks. Use longer passwords for sensitive accounts.

Generating Multiple Passwords

Generate several passwords at once:

# Generate 5 passwords
secretctl generate -n 5

Output:

kL9#mN2!pQ7@rS4$
tU6&vW8*xY0^zA2%
bC4(dE6)fG8+hI0-
jK2=lM4[nO6]pQ8{
rS0|tU2;vW4:xY6,

Useful for:

  • Creating passwords for team onboarding
  • Generating test credentials
  • Password rotation across services

Character Set Customization

Alphanumeric Only

For systems that don't accept symbols:

secretctl generate --no-symbols

Letters Only

For codes or identifiers:

secretctl generate --no-symbols --no-numbers

Numbers Only

For PINs or numeric codes:

secretctl generate --no-symbols --no-uppercase --no-lowercase -l 6

Output:

847291

Uppercase Only

For system codes or license keys:

secretctl generate --no-symbols --no-numbers --no-lowercase

Excluding Ambiguous Characters

Remove characters that look similar to avoid confusion:

# Exclude 0/O, 1/l/I which are easy to confuse
secretctl generate --exclude "0O1lI"

This is useful for:

  • Passwords that will be read aloud or typed manually
  • QR codes and printed materials
  • Reducing user error in manual entry

Common Exclusion Sets

# Exclude ambiguous characters
secretctl generate --exclude "0O1lI"

# Exclude characters problematic in shells
secretctl generate --exclude '$`"'\''\\!'

# Exclude XML/HTML special characters
secretctl generate --exclude "<>&'\""

Clipboard Integration

Copy the generated password directly to clipboard:

secretctl generate -c

Output:

kL9#mN2!pQ7@rS4$tU6&vW8*
WARNING: Password copied to clipboard is accessible by all processes
Clipboard will not be automatically cleared. Overwrite manually when done.
Password copied to clipboard

Platform Support

PlatformClipboard Tool
macOSpbcopy (built-in)
Linuxxclip or xsel
Windowsclip (built-in)
caution

The clipboard is accessible by all running processes. Clear it after use by copying other content.

Linux Setup

Install clipboard support on Linux:

# Debian/Ubuntu
sudo apt install xclip

# Fedora
sudo dnf install xclip

# Arch
sudo pacman -S xclip

Practical Examples

Database Password

Strong 32-character password for database:

secretctl generate -l 32 | secretctl set DB_PASSWORD

API Key Format

Generate alphanumeric strings suitable for API keys:

secretctl generate -l 40 --no-symbols

WiFi Password

Human-readable password for sharing:

secretctl generate -l 16 --exclude "0O1lI"

SSH Key Passphrase

Strong passphrase for SSH key protection:

secretctl generate -l 24 -c

Team Onboarding

Generate temporary passwords for new team members:

# Generate 10 passwords for onboarding
secretctl generate -n 10 -l 16 --no-symbols

AWS Secret Key Format

Simulate AWS-style secret access keys:

secretctl generate -l 40 --no-symbols

Backup Encryption Key

Generate high-entropy key for backup encryption:

secretctl generate -l 64 --no-symbols

Password Strength

Entropy Calculation

Password strength is measured in bits of entropy:

ConfigurationCharset Size24-char Entropy
All characters94~157 bits
No symbols62~143 bits
Letters only52~137 bits
Alphanumeric lowercase36~124 bits

Higher entropy = stronger password.

Use CaseMinimum LengthRecommended
Personal accounts1216+
Database passwords2432+
API keys/tokens3240+
Encryption keys3264+
Master passwords1624+

Combining with Other Commands

Generate and Store

# Generate and store a new password
secretctl generate | secretctl set SERVICE_PASSWORD \
--notes="Auto-generated on $(date)" \
--expires="90d"

Generate for Export

# Generate multiple passwords and export
secretctl generate -n 5 | while read pw; do
echo "Temp password: $pw"
done

Rotate Password

# Generate new password and update existing secret
secretctl generate -l 32 | secretctl set DB_PASSWORD \
--notes="Rotated on $(date +%Y-%m-%d)"

Security Considerations

Cryptographic Security

secretctl uses Go's crypto/rand package which:

  • Uses the operating system's cryptographic random number generator
  • Is suitable for security-sensitive applications
  • Never uses pseudorandom generators like math/rand

Clipboard Security

When using --copy:

  • The password is accessible to all running processes
  • The clipboard is not automatically cleared
  • Always overwrite the clipboard after use

Avoid Logging

Be careful not to log generated passwords:

# Bad: Password appears in shell history
echo $(secretctl generate)

# Good: Pipe directly or use clipboard
secretctl generate | secretctl set MY_SECRET
secretctl generate -c

Shell History

The generate command itself is safe for shell history as it doesn't contain the password in the command line.

Troubleshooting

"clipboard tool not found" Error

On Linux, install a clipboard tool:

# Install xclip
sudo apt install xclip

# Or install xsel
sudo apt install xsel

"password length must be at least 8" Error

Minimum password length is 8 characters:

# This fails
secretctl generate -l 4

# Use minimum of 8
secretctl generate -l 8

"character set is empty" Error

Ensure at least one character type is enabled:

# This fails - all character types excluded
secretctl generate --no-symbols --no-numbers --no-uppercase --no-lowercase

# Include at least one type
secretctl generate --no-symbols --no-numbers

Clipboard Not Working

Verify clipboard command is available:

# macOS
which pbcopy

# Linux
which xclip || which xsel

# Windows (PowerShell)
Get-Command clip

Next Steps