How to generate a random password using OpenSSL

A password copied into a service setting, bootstrap secret, or one-time handoff needs enough random bytes and a format the destination accepts. OpenSSL can generate that value locally in the terminal, which avoids an online password generator and keeps the output under the operator's control.

The openssl rand command generates random bytes, then -base64 or -hex turns those bytes into printable text. The number at the end of the command is the byte count before encoding, so the displayed password is longer than the requested byte count.

Base64 output is compact, but it can include +, /, and = characters that some forms reject or escape. Hex output uses only 0-9 and a-f, but it takes two visible characters for each random byte. Treat every generated value as a secret once it has been copied into a real account, configuration file, ticket, or transcript.

Steps to generate a random password using OpenSSL:

Generate a Base64 password from 32 random bytes.
```
$ openssl rand -base64 32
f1SMRHvIIf2V5FWIT9I2rOf9XI22mclef4AO0sOO8dU=
```
For 32 input bytes, standard Base64 output is 44 characters including padding. Use this form when the destination accepts mixed-case letters, digits, symbols, and padding.
Generate a hex password when the destination requires hex-only text.
```
$ openssl rand -hex 24
9616eb8eaa7a1e806a669a96cc43dda96f52f570c45e09b0
```
For 24 input bytes, hex output is 48 characters because each byte becomes two hex characters.
Store a generated Base64 password in a shell variable when the encoded length must be checked before copying.
```
$ password=$(openssl rand -base64 32)
```
Do not store production passwords in shell history, shared terminal logs, tickets, or screenshots. Regenerate the value if it was exposed while testing or documenting the workflow.

Print the stored Base64 password once for copying.

$ printf '%s\n' "$password"
iXtNsXdqnngMAp3DDLxm/pcSFQbLR3VoB9ucXUG73uk=

Check the Base64 character count.
```
$ printf '%s\n' "${#password}"
44
```
The shell variable keeps the value in the current shell session only. The length check uses shell parameter expansion, so no extra output-filtering command is needed.
Store a generated hex password when the destination requires hex-only text.
```
$ token=$(openssl rand -hex 24)
```

Print the stored hex password once for copying.

$ printf '%s\n' "$token"
a832d3fb969da84fb785bbfbd8f2d729fc760e2c7a354e6d

Check the hex character count.
```
$ printf '%s\n' "${#token}"
48
```
Clear the shell variables after copying the generated value into the intended secret store.
```
$ unset password token
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.