As shown in the previous illustration, certain users have access to delimited keys and commands, while the default user has access to all the keys and operations in the store.
Usually, Redis supports the AUTH command with username and password arguments to authenticate as a specific user with certain restrictions applied.
Redis ACL passwords are stored in SHA256 hashed format. Usually, these are more like shared secrets. These passwords are hexadecimal strings that contain pseudorandom numbers, as shown in the following example:
The ACL passwords are not entered by a human being. It is stored in some type of client software. Hence, the password length is not a problem at all in this context.
In order to generate the Redis ACL passwords, you need to use a special command called ACL GENPASS, which we will be discussing in the following section.
The ACL GENPASS Command
The ACL GENPASS command is used to generate an alphanumeric string that has a size of 64-byte that contains 256 bits of pseudorandom data. To make the password stronger and harder to crack, this command uses the pseudorandom number generators like /dev/urandom or /dev/random. These are special types of files used to create sequences of random number values where the generated random numbers have properties of a sequence of random numbers. These passwords are ten times harder to crack than a usual password.
number_of_bits_per_output_string: This is an optional argument that specifies the number of bits needed to be contained in the output string.
This command will return a 64 bytes alphanumeric string, which includes 256 bits of pseudorandom data values. Whenever you pass the optional argument where the number of bits ranges from 1 to 1024, the output string length will change accordingly. Usually, the output string length will be calculated by dividing the specified number of bits by 4. In addition, bits are always rounded to the next multiple of 4.
Example 01 – Generate Default Length Password
Let’s assume we need to generate an ACL password for the default user who has access to every command and key in the Redis data store. We will use the ACL GENPASS command, which is less complex and faster due to constant time complexity.
As expected, the output is a 64-byte alphanumeric string with 256 bits of pseudorandom data. The output password length is 64 hex characters. That implies 256 bits are there.
Example 02 – Generate Custom Length Password
The ACL GENPASS command gives full control to the user to define the number of bits needed to be in the final string. The optional parameter can be passed in the form of the number of bits in the generated password.
Let’s create an ACL password with the size 16 bits. Hence, the final alphanumeric string length should be 16 bits divided by four which equals 4 hex characters.
Let’s try to specify the number of bits to 6. The command will round this number to the next multiple of four. Hence, the number of bits becomes 8 under the hood.
As expected, the output string length is 2 hex characters representing 8 bits of pseudorandom data.
As discussed in the previous examples, the ACL GENPASS command can be a reliable password generator for Redis data stores.
To summarize, Redis introduced the access control list feature from version 6.0.0. It enables a new security layer where certain client connections can access limited commands and keys in the Redis data store. Each client connection can be authenticated using the AUTH command with the username and password provided. These passwords are stored as SHA256 hashed values in the Redis storage. Hence, it is recommended to generate strong Redis passwords using the ACL GENPASS command. It generates a 64-byte alphanumeric string which is strong enough to avoid attacks.