otpw-gen - one-time password generator
otpw-gen [ options ]
OTPW is a one-time password authentication system. It can be plugged
into any application that needs to authenticate users interactively.
One-time password authentication is a valuable protection against
password eavesdropping, especially for logins from untrusted terminals.
Before you can use OTPW to log into your system, two preparation steps
are necessary. Firstly, your system administrator has to enable it.
(This is usually done by configuring your login software (e.g., sshd)
to use OTPW via the Pluggable Authentication Module (PAM) configuration
files in /etc/pam.d/.)
Secondly, you need to generate a list of one-time passwords and print
it out. This can be done by calling
otpw-gen | lpr
or something like
otpw-gen -h 70 -s 2 | a2ps -1B -L 70 --borders no
if more control over the layout is desired.
You will be asked for a prefix password, which you need to memorize. It
has to be entered immediately before the one-time password. The prefix
password reduces the risk that anyone who finds or steals your password
printout can use that alone to impersonate you.
Each one-time password will be printed behind a three digit password
number. Such a number will appear in the password prompt when OTPW has
When you see this prompt, enter the memorized prefix password, followed
immediately by the one-time password identified by the number. Any
spaces within a password have only been inserted to improve legibility
and do not have to be copied. OTPW will ignore the difference between
the easily confused characters 0O and Il1 in passwords.
In some situations, for example if multiple logins occur simultaneously
for the same user, OTPW defends itself against the possibility of
various attacks by asking for three random passwords simultaneously.
You then have to enter the prefix password, followed immediately by the
three requested one-time passwords. This fall-back mode is activated by
the existence of the lock file ~/.otpw.lock. If it was left over by
some malfunction, it can safely be deleted manually.
Call otpw-gen again when you have used up about half of the printed
one-time passwords or when you have lost your password sheet. This will
disable all remaining passwords on the previous sheet.
-h number Specify the total number of lines per page to be sent to
standard output. This number minus four header lines
determines the number of rows of passwords on each page.
The maximum number of passwords that can be printed is
1000. (Minimum: 5, default: 60)
-w number Specify the maximum width of lines to be sent to standard
output. This parameter determines together with the
password length the number of columns in the printed
password matrix. (Minimum: 64, default: 79)
-s number Specify the number of form-feed separated pages to be
sent to standard output. (Default: 1)
-e number Specify the minimum entropy of each one-time password in
bits. The length of each password will be chosen
automatically, such that there are at least two to the
power of the specified number possible passwords. A value
below 30 might make the passwords vulnerable to a brute-
force guessing attack. If the attacke might have read
access to the ~/.otpw file, the value should be at least
48. Paranoid users might prefer long high-security
passwords with at least 60 bits of entropy. (Default:
-p0 Generate passwords by transforming a random bit string
into a sequence of letters and digits, using a form of
base-64 encoding (6 bits per character). (Default)
-p1 Generate passwords by transforming a random bit string
into a sequence of English four-letter words, each chosen
from a fixed list of 2048 words (2.75 bits per
-f filename Specify a file to be used instead of ~/.otpw for storing
the hash values of the generated one-time passwords.
The OTPW package, which includes the otpw-gen progam, has been
developed by Markus Kuhn. The most recent version is available from