Generating Passwords Using crypt(3)

When writing things like Red Hat Kickstart scripts, or using useradd, or in many other cases, a password is required in the format generated by crypt(3). However, how do we generate a password in this format? In fact, there are many, many ways – if you just know what they are.

One way is to use mkpasswd. This utility is made just for this very purpose; to generate a password with crypt(3) use the command:


The program will ask for a password, and generates a crypt(3) output string.

If you have the Apache web server loaded, you can use htpasswd. Use this command

htpasswd -nd user

The name of the user doesn’t matter, as it is the password we want. The output will be in the format user:password; just copy the password and you’re set.

If you have OpenSSL available, you can use the openssl command:

openssl passwd -crypt myPassword

Replace myPassword with the password you want to encrypt.

The other methods all require putting the password into the command line in plain text. This can be a problem: the process list (seen using ps) will have the password in it as long as the program runs. The password will also go into the shell history.

One way around this – with programming languages – is to use a script or to use the language’s interpreter.

Using Perl:

perl -e "print crypt('password','sa');"

Perl requires a salt ('sa' in the example).

Ruby can generate a crypt-formatted password, but it requires a salt:

ruby -e 'print "password".crypt("JU"); print("\n");'

Using PHP, you can generate a password from the UNIX command line this way:

php -r "print(crypt('password','JU') . \"\n\");"

Note that if you do not provide a salt ('JU' in the example) then the string returned may not be in crypt format, but rather in MD5 format. Thus, while the salt is an optional parameter, it is necessary in this case.

Using Python requires importing the crypt library – and it requires a salt:

python -c 'import crypt; print crypt.crypt("password","Fx")'

Again, the salt in this case is the second parameter or "Fx".

Databases can generate crypt passwords too; using MySQL it can be done like this:

echo "select encrypt('password');" | mysql

For Tcl there are a number of options; if you are using Ubuntu, you could give the trf package a try. If using Lua, there is the lua-crypt extension.

Feel free to add other options below – with working command-line examples.