1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
---
title: pwtool
section: 1
header: User Manual
footer: pwtool 0.12.0
author: Ed Neville (ed-pwtool@s5h.net)
date: 27 December 2025
---
# NAME
pwtool - a convenience tool to make sane passwords and account creations
# SYNOPSIS
**pwtool**
**pwtool \-\-number N**
**pwtool \-\-length N**
**pwtool \-\-[only]alpha**
**pwtool \-\-[only]numeric**
**pwtool \-\-[only]extended**
**pwtool \-\-[only]lowercase**
**pwtool \-\-[only]uppercase**
**pwtool \-\-md5 [\-\-salt STRING]**
**pwtool \-\-des [\-\-salt STRING]**
**pwtool \-\-bcrypt [\-\-salt STRING]**
**pwtool \-\-sha[1,256,512] [\-\-salt STRING]**
**pwtool \-\-username [name]**
**pwtool \-\-database [name]**
**pwtool \-\-createdatabase**
**pwtool \-\-password STRING**
**pwtool \-\-keepassdb PATH**
**pwtool \-\-keepassphrase STRING**
**pwtool \-\-totp STRING**
**pwtool \-\-totpfmt**
**pwtool \-\-totpstep NUMBER**
# DESCRIPTION
**pwtool** is a utility to generate account passwords in a variety of formats with helper output on **stdout**. By default the password strings are made of of letters and numbers for easy mouse selection.
If you just want a simple password for use in a script
pwtool --number 1
PVTevLyA9r
If you run **pwtool** without any options it will generate a screen of passwords. Pick one that you like!
As well as flexible password generation options a main goal is to output user creation strings to copy and paste/execute as stdin so that operators don't have to re-type passwords.
Crypts can be based on user supplied strings via the **--password** option or **PASSWORD** environment variable.
The **--format** string can expand values:
pwtool --database billing --username wonkeydonkey --password hunter2 --servername webby --number 1 --format 'DB: %{database}\\nUSR: %{username}\\nPASSWORD: %{password}\\nSERVER: %{servername}\\n'
Other strings, such as **--mysqlfmt**, **--pgfmt**, **--mysqluserfmt**, **--userfmt**, can generate copy/paste shell commands:
pwtool --username wonkeydonkey --number 1 --userfmt
useradd -m -s /bin/bash -p '$5$hYhnxam4j/chBu3V$BsZsRl4nj6DTpEdFMfLuerPFR0xvCJmeGQCUjuG9qM1' wonkeydonkey # Y9YgmSyv1A
pwtool --username wonkeydonkey --database circus --createdatabase --number 1 --mysqlfmt
create database circus; grant all privileges on circus.* to wonkeydonkey@'%' identified with mysql_native_password as '*21c0a42c1bb43ff6b56226a6a65a8859dd077497'; -- # VfKptnR2ft
Optionally a salt string can be provided with **--salt**.
If **--keepassdb** is specified, entries will be added to the DB. If the file exists then the password for the DB should be specified either in **--keepassphrase** or **KEEPASSPHRASE** environment. If the file does not exist, it will be created. If the passphrase is not specified one will be created using the runtime configuration and written to stdout.
# TOTP
**pwtool** can work as a TOTP CLI and display TOTP authentication strings.
If you want to leave a TOTP authentication display in your terminal, it can run like this:
TOTP="name=metalisbest,key=bar" pwtool --totpfmt
It will then run and leave a display like this:
762269 [################# ] metalisbest
If you have multiple accounts, they can be displayed like this:
TOTP="name=metalisbest,key=bar;name=grungeisbest,key=baz" pwtool --totpfmt
523200 [####### ] metalisbest
523200 [####### ] grungeisbest
The following key=value pairs are supported:
| key | definition |
|----------|--------|
| key / totp | the totp string |
| name / username | a meaningful name for this key |
| step | number of step seconds |
| digits | the length of the output |
| algo | which hmac to use (sha1, sha256, sha512) |
| seconds | a user-defined time |
|
