I need to generate multiple random passwords and came across the "openssl rand -base64 14" command which does the base64 encoding inbuilt.
sh-3.2# openssl rand -base64 14
ktMgWKno9AbvRUq4wx0=
But, once after generation, I would like to decrypt the password to useable/human readable format. But, wen decoding, I am seeing only non readble values.
sh-3.2# echo ktMgWKno9AbvRUq4wx0= | base64 --decode
�� X����EJ��sh-3.2#
How you guys decrypt these and use?
In the method you came across the format like ktMgWKno9AbvRUq4wx0= is human-readable; this is exactly what you need.
decrypt the password to useable/human readable format.
A misunderstanding. Two parts of it:
openssl rand generates pseudo-random bytes. There is no guarantee they will be printable or human-readable.So you asked for (in general) binary data encoded as text. ktMgWKno9AbvRUq4wx0= is the human-readable form. Your command to "decrypt" (or rather "decode"; Base64 is an encoding, not encryption) is valid but it gives you the binary data the tool would yield without -base64.
You can use what openssl rand -base64 14 gave you as a human-readable password. I guess this was the gist of the solution you came across. Each character in ktMgWKno9AbvRUq4wx0= carries exactly 6 bits of entropy of the original binary sequence, except the one just before = and the = itself: the 0= sequence carries 4 bits. In total you have 18×6+4 bits of entropy, this is exactly 14×8 you asked for. The whole string is 20 characters long. To maximize (within the method) the entropy stored in 20 characters you should require at least 20x6 bits and take the first 20 characters. 20x6 is exactly 15x8, so this command
openssl rand -base64 15
will generate exactly the 20 characters you need (no truncating required). This will be a human-readable string of the same length as the one in question but with 8 more bits of entropy in it.
I said "maximize within the method" because "outside of the method" it's possible to pack more entropy per human-readable character. If you allow additional characters that don't belong to the Base64 character set (e.g. %, _, #) then you will get more than 6 bits per character.
You cannot expand the method with additional characters because "6 bits per character" is like the foundation of Base64. To get more entropy per character you need a completely different approach. A method that uses all 95 printable ASCII characters will give you about 6.5 bits of entropy per character (strictly: log2 95).
