pwtool 0.11.0

pwtool, user account password tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

---
title: pwtool
section: 1
header: User Manual
footer: pwtool 0.11.0
author: Ed Neville (ed-pwtool@s5h.net)
date: 29 October 2025
---

# NAME

pwtool - a convenience tool to make sane passwords and account creations

# SYNOPSIS

**pwtool**

**pwtool \-\-number N**

**pwtool \-\-length N**

**pwtool \-\-[only]alpha**

**pwtool \-\-[only]numeric**

**pwtool \-\-[only]extended**

**pwtool \-\-[only]lowercase**

**pwtool \-\-[only]uppercase**

**pwtool \-\-md5 [\-\-salt STRING]**

**pwtool \-\-des [\-\-salt STRING]**

**pwtool \-\-bcrypt [\-\-salt STRING]**

**pwtool \-\-sha[1,256,512] [\-\-salt STRING]**

**pwtool \-\-username [name]**

**pwtool \-\-database [name]**

**pwtool \-\-createdatabase**

**pwtool \-\-password STRING**

**pwtool \-\-totp STRING**

**pwtool \-\-totpfmt**

**pwtool \-\-totpstep NUMBER**

# DESCRIPTION

**pwtool** is a utility to generate account passwords in a variety of formats with helper output on **stdout**. By default the password strings are made of of letters and numbers for easy mouse selection.

If you just want a simple password for use in a script

    pwtool --number 1
    PVTevLyA9r

If you run **pwtool** without any options it will generate a screen of passwords. Pick one that you like!

As well as flexible password generation options a main goal is to output user creation strings to copy and paste/execute as stdin so that operators don't have to re-type passwords.

Crypts can be based on user supplied strings via the **--password** option or **PASSWORD** environment variable.

The **--format** string can expand values:

    pwtool --database billing --username wonkeydonkey --password hunter2 --servername webby --number 1 --format 'DB: %{database}\\nUSR: %{username}\\nPASSWORD: %{password}\\nSERVER: %{servername}\\n'

Other strings, such as **--mysqlfmt**, **--pgfmt**, **--mysqluserfmt**, **--userfmt**, can generate copy/paste shell commands:

    pwtool --username wonkeydonkey --number 1 --userfmt

    useradd -m -s /bin/bash -p '$5$hYhnxam4j/chBu3V$BsZsRl4nj6DTpEdFMfLuerPFR0xvCJmeGQCUjuG9qM1' wonkeydonkey # Y9YgmSyv1A

    pwtool --username wonkeydonkey --database circus --createdatabase --number 1 --mysqlfmt

    create database circus; grant all privileges on circus.* to wonkeydonkey@'%' identified with mysql_native_password as '*21c0a42c1bb43ff6b56226a6a65a8859dd077497'; -- # VfKptnR2ft

Optionally a salt string can be provided with **--salt**.

# TOTP

**pwtool** can work as a TOTP CLI and display TOTP authentication strings.

If you want to leave a TOTP authentication display in your terminal, it can run like this:

    TOTP="name=metalisbest,key=bar" pwtool --totpfmt

It will then run and leave a display like this:

    762269 [#################             ] metalisbest

If you have multiple accounts, they can be displayed like this:

    TOTP="name=metalisbest,key=bar;name=grungeisbest,key=baz" pwtool --totpfmt

    523200 [#######                       ] metalisbest
    523200 [#######                       ] grungeisbest

The following key=value pairs are supported:

| key | definition |
|----------|--------|
| key / totp | the totp string | 
| name / username | a meaningful name for this key | 
| step | number of step seconds | 
| digits | the length of the output | 
| algo | which hmac to use (sha1, sha256, sha512) | 
| seconds | a user-defined time |