diff --git a/dotfiles/zshrc b/dotfiles/zshrc
index 3dc3abb..ea4e02d 100644
--- a/dotfiles/zshrc
+++ b/dotfiles/zshrc
@@ -85,10 +85,18 @@ jpegoptimize() {
     gm mogrify -filter Triangle -define filter:support=2 -unsharp 2x0.5+0.7+0 -dither -quality $QUALITY -define jpeg:fancy-upsampling=off -interlace Line -strip -output-directory $2 $1
 }
 
-# generate random password 15 characters long
-# See: https://unix.stackexchange.com/questions/230673/how-to-generate-a-random-string
+# Generate a random hex password 20 characters long. The input from /dev/urandom
+# does not need to be any particular length due to SHA-2 256's design (for exam-
+# ple, the "avalanche" effect and the input padding), so I just read 1 byte with
+# dd. Some sites (see below) recommend using a minimum of 20 characters for hex
+# passwords.
+#
+# See: https://www.ssh.com/academy/ssh/passphrase-generator
 genpass() {
-    </dev/urandom tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' | head -c 15 ; echo
+    dd if=/dev/urandom bs=1 count=1 2>/dev/null | \
+      sha256sum -b | \
+      sed 's/ .*//' | \
+      head -c 20; echo
 }
 
 # set GPG TTY for pinentry-curses