Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Feature Request: Generate random passwords with CLI via dedicated command (e.g. `op generate`)
There are a few past threads about this:
- December 2020: https://1password.community/discussion/117673/generating-passwords-with-the-cli
- March 2022: https://1password.community/discussion/127625/feature-request-add-password-generation-with-words-in-cli
- May 2022: https://1password.community/discussion/129811/generate-passwords-from-op-1p-cli
They never seemed to go anywhere. One suggestion was to use:
op item create --title='retrievable generated password' --category=password --generate-password=20,letters,digits | op read op://Private/'retrievable generated password'/password
I find that overly verbose and complex just to get a short-lived password. There are many situations where you wouldn't want to save a password in 1P from a shell script. In my case, I'm spinning up containers to test with, after which I destroy the container and never need the password again.
There are plenty of other ways to do this with bash/zsh:
- date +%s | sha256sum | base64 | head -c 32 ; echo
- openssl rand -base64 32
I'd much prefer a way to do this with the 1Password CLI if at all possible. Something like op generate [options], though the command can be anything.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
16 Replies
Suggestion have an option to run a command using `op generate` as a command wrapper with an environment variable generated.
Such that an environment variable is briefly created in a environment where a passed command is run, and then safely destroyed with 100% certainty (even on error/crash).
E.g. `op generate password <<options>> -c 'store-secret add "example" --secret $GENERATED_PASSWORD' --confirmation $GENERATED_PASSWORD`.
Where GENERATED_PASSWORD is the environment variable created and `-c` is the command to be run.
The implementation could be something like:// Note: Pseudo bash code, I'm not a bash programmer // Create temp local evn var GENERATED_PASSWORD=`op generate password <<options>>` // Run given command ... // Cleanup unset GENERATED_PASSWORD // Add signal handling to cleanup GENERATED_PASSWORD // Optionally (on by default) hook in to SDOUT/SDERR to redact the secret in outputValue add the extra complexity over just allowing the `op password` to be used directly:
* Reduce the likely hood of secrets to be exposed accidentally
* Cleanup handling on error
* Way to showcase best practice in secrets management
* Increase the value of the ("op") 1Password CLI/improve DevX
* There are a lot of edge cases that 1Password can handle that would likely be too much work/missed for manual scripts
Defiantly suggest this as a separate function so it can be used without being authenticated; which can't be done for `op item create --dry-run ...`.
