Skip to main content
Nezteb
March 31, 2023
Question

Feature Request: Generate random passwords with CLI via dedicated command (e.g. `op generate`)

  • March 31, 2023
  • 16 replies
  • 1414 views

There are a few past threads about this:
- December 2020: https://1password.community/discussion/117673/generating-passwords-with-the-cli
- March 2022: https://1password.community/discussion/127625/feature-request-add-password-generation-with-words-in-cli
- May 2022: https://1password.community/discussion/129811/generate-passwords-from-op-1p-cli

They never seemed to go anywhere. One suggestion was to use:

op item create --title='retrievable generated password' --category=password --generate-password=20,letters,digits | op read op://Private/'retrievable generated password'/password

I find that overly verbose and complex just to get a short-lived password. There are many situations where you wouldn't want to save a password in 1P from a shell script. In my case, I'm spinning up containers to test with, after which I destroy the container and never need the password again.

There are plenty of other ways to do this with bash/zsh:
- date +%s | sha256sum | base64 | head -c 32 ; echo
- openssl rand -base64 32

I'd much prefer a way to do this with the 1Password CLI if at all possible. Something like op generate [options], though the command can be anything.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

16 replies

May 29, 2023

@1P_Amanda , that's what we're doing above already in this thread, see the original post for context.

May 29, 2023

Oops, I feel dumb now - that'll teach me to reply before coffee on a Monday morning. I'll make a note, thank you!

Amanda

May 29, 2023

Totally fine, I do that all the time too! Coffee is essential ☕️! Doesn't change the outcome in my case ;)

June 1, 2023

I'm not confident it would have in mine either, shhhh.

June 24, 2025

Defiantly suggest this as a separate function so it can be used without being authenticated; which can't be done for `op item create --dry-run ...`.

June 24, 2025

Suggestion have an option to run a command using `op generate`  as a command wrapper with an environment variable generated.

Such that an environment variable is briefly created in a environment where a passed command is run, and then safely destroyed with 100% certainty (even on error/crash).

E.g. `op generate password <<options>> -c 'store-secret add "example" --secret $GENERATED_PASSWORD' --confirmation $GENERATED_PASSWORD`.
Where GENERATED_PASSWORD is the environment variable created and `-c` is the command to be run.

The implementation could be something like:

// Note: Pseudo bash code, I'm not a bash programmer

// Create temp local evn var
GENERATED_PASSWORD=`op generate password <<options>>`

// Run given command
...

// Cleanup 
unset GENERATED_PASSWORD

// Add signal handling to cleanup GENERATED_PASSWORD

// Optionally (on by default) hook in to SDOUT/SDERR to redact the secret in output

Value add the extra complexity over just allowing the `op password` to be used directly:
 * Reduce the likely hood of secrets to be exposed accidentally
 * Cleanup handling on error
 * Way to showcase best practice in secrets management
 * Increase the value of the ("op") 1Password CLI/improve DevX
 * There are a lot of edge cases that 1Password can handle that would likely be too much work/missed for manual scripts