mkpasswd

mkpasswd [options] [password]

-m <method> | --method=<method>
    Specifies the cryptographic hash method to use. Common methods include des, md5, sha-256, and sha-512. The available methods depend on the system's `glibc` and `crypt` library implementation.

-s <length> | --salt-len=<length>
    Sets the length of the randomly generated salt string. A longer salt generally provides better security against certain types of attacks.

-S <string> | --salt=<string>
    Provides a specific salt string to be used instead of generating a random one. This is useful for replicating hashes or for specific requirements.

-p <password> | --password=<password>
    Supplies the password directly as a command-line argument. WARNING: This is highly insecure as the password may be exposed in shell history or process lists. Use `-P` or omit for interactive input instead.

-P | --stdin
    Reads the password from standard input. This is the recommended secure method for scripting `mkpasswd` without exposing the password.

--help
    Displays a help message with usage information and exits.

--version
    Shows the program's version information and exits.

The `mkpasswd` command-line utility is used to generate password hashes encrypted using the `crypt(3)` function, suitable for entries in system password files like `/etc/passwd` or `/etc/shadow`. It provides a convenient way to create salted and hashed passwords non-interactively or within scripts. Unlike simple hashing, `mkpasswd` handles the salting process, which adds randomness to the hash, significantly increasing resistance against rainbow table attacks.

Users can specify the desired cryptographic method (e.g., DES, MD5, SHA-256, SHA-512) and control salt generation, either by length or by providing a custom salt string. It typically prompts for the password interactively for security, but also supports reading from standard input or, less securely, directly from command-line arguments. This utility is invaluable for system administrators automating user creation or password updates.

Using `-p` or `--password` to pass a password directly on the command line is a significant security risk, as the password can be visible in shell history, process lists (`ps aux`), and logs. Always prefer interactive input or piping the password via standard input (`-P` or `--stdin`).

The availability of specific hashing methods (e.g., SHA-256, SHA-512) depends on your system's `glibc` and `crypt` library version. Older systems might support fewer robust algorithms. Always verify supported methods using `man crypt` or by checking your system's documentation.

When using `mkpasswd`, always prioritize security. Avoid supplying passwords directly on the command line (`-p`). Instead, either let `mkpasswd` prompt you interactively or use the `-P` (or `--stdin`) option to pipe the password from standard input. This prevents the password from being stored in command history or being visible in process listings. Furthermore, always choose the strongest available hashing algorithm supported by your system, such as SHA-512, to maximize resistance against brute-force and dictionary attacks.

The strength of the generated hash depends heavily on the chosen cryptographic algorithm and the salt. Modern systems typically support SHA-256 and SHA-512, which are significantly more secure than the older DES or MD5 algorithms. A sufficiently long and randomly generated salt (the default behavior of `mkpasswd` if not specified) is crucial for preventing rainbow table attacks. Different Linux distributions and `glibc` versions might have slight variations in supported methods and default salt lengths; consult your system's `man crypt` page for specifics.

The concept of `crypt(3)` for password hashing has been a cornerstone of Unix security since the very early versions, such as V7 Unix. The `mkpasswd` utility itself emerged as a convenient wrapper around this fundamental C library function, simplifying the process of generating suitable password hashes for system authentication files.

Historically, it was often distributed as part of packages like `expect` (a Tcl extension) or `whois`, reflecting its utility in scripting and system administration tasks. Its evolution has mirrored advancements in cryptography, with initial support for the DES algorithm being augmented by stronger methods like MD5, SHA-256, and SHA-512, driven by the need to combat increasing computational power and evolving security threats.

crypt(3), passwd(1), useradd(8), shadow(5), chpasswd(8)