macadmin.fraserhess.com

When sending an MDM command to lock or wipe a device, a six-digit passcode is required. Humans aren’t great at random numbers, so I made several attempts at a shell function that generates random passcodes. Read on or skip to the final solution. All solutions print the passcode and copy it to the clipboard.

Attempt 1

pcgen() {
  while true; do
    pw=$(jot -r 1 10000 999999)
    if ! echo $pw | grep -Eq '(\d{1,})\1{1,}'; then break; fi
  done
  printf %06d $pw | tee >(pbcopy)
  printf '\n'
}

This version generates a random passcode without repeating any number sequences.

This is short and fast but could in theory generate 123456 and many other predictable codes that don’t have any repeating number sequences.

Attempt 2 – detect simple PINs

Windows Hello checks for simple PINs by comparing the delta between each digit in order to reject a PIN. 123456 has a delta of 1 between each digit and so is rejected. This version also reduces the random number range to exclude passcodes that would be invalid.

pcgen() {
  while true
  do
    pw=$(jot -r 1 10201 989798) 
    pw=$(printf %06d $pw) 
    common_delta=1 
    for ((j=0; j<${#pw}-1; j++ )) do
      digitA="${pw:$j:1}" 
      digitB="${pw:$j+1:1}" 
      delta=$(( digitA - digitB)) 
      delta=${delta#-} 
      [[ $j -eq 0 ]] && first_delta=$delta  && continue
      [[ ! $delta -eq $first_delta ]] && common_delta=0  && break
    done
    [[ common_delta -eq 1 ]] && continue
    if ! echo $pw | grep --color=auto -Eq '(\d{1,})\1{1,}'
    then
      break
    fi
  done
  printf '%s' "${pw}" | tee >(pbcopy)
  printf '\n'
}

This function is already 22 lines longs and doesn’t yet handle overflowing. Additionally, detecting simple PINs doesn’t address common numeric keypad sequences like 147258.

Attempt 3 – using data

pcgen() {
  pin_file="/tmp/6pin.txt"
  [[ -f "${pin_file}" ]] || curl -fso "${pin_file}" https://raw.githubusercontent.com/Slon104/Common-PIN-Analysis-from-haveibeenpwned.com/refs/heads/main/Word%20Lists/6%20PIN%20by%20Slon104.txt
  while true; do
    line=$(jot -r 1 1001 1000000)
    pw=$(sed -n "${line}, ${line}p; $((line+1))q" "${pin_file}")
    if ! echo "${pw}" | grep -Eq '(\d{2,})\1{1,}|(\d)\2{2,}'; then break; fi
  done
  printf '%s' "${pw}" | tee >(pbcopy)
  printf '\n'
}

This version leverages data on the most popular 6-digit PINs. On first run, it downloads a file of these PINs ordered by their popularity in password leaks. Ignoring the first 1000 lines (the most popular human-made passcodes), it pulls a random line from the file and validates that the PIN doesn’t have repeating two- or three- digit sequences or one-digit repeating more than twice.

While it is a little slower, we get very random numbers in their composition. Change the location of the pin_file to something more persistent if you wish.

Enjoy!