Finds common flaws in passwords. Like cracklib, but written in Go.

Related tags

hacktoberfest
Overview

crunchy

Latest Release GoDoc Build Status Coverage Status Go ReportCard

Finds common flaws in passwords. Like cracklib, but written in Go.

Detects:

  • ErrEmpty: Empty passwords
  • ErrTooShort: Too short passwords
  • ErrNoDigits: Password does not contain any digits
  • ErrNoSymbols: Password does not contain any special characters
  • ErrTooFewChars: Too few different characters, like "aabbccdd"
  • ErrTooSystematic: Systematic passwords, like "abcdefgh" or "87654321"
  • ErrDictionary: Passwords from a dictionary / wordlist
  • ErrMangledDictionary: Mangled / reversed passwords, like "[email protected]" or "drowssap"
  • ErrHashedDictionary: Hashed dictionary words, like "5f4dcc3b5aa765d61d8327deb882cf99" (the md5sum of "password")
  • ErrFoundHIBP: Optional hash checks against the haveibeenpwned.com database

Your system dictionaries from /usr/share/dict will be indexed. If no dictionaries were found, crunchy only relies on the regular sanity checks (ErrEmpty, ErrTooShort, ErrTooFewChars and ErrTooSystematic). On Ubuntu it is recommended to install the wordlists distributed with cracklib-runtime, on macOS you can install cracklib-words from brew. You could also install various other language dictionaries or wordlists, e.g. from skullsecurity.org.

crunchy uses the WagnerFischer algorithm to find mangled passwords in your dictionaries.

Installation

Make sure you have a working Go environment (Go 1.2 or higher is required). See the install instructions.

To install crunchy, simply run:

go get github.com/muesli/crunchy

Example

package main

import (
	"github.com/muesli/crunchy"
	"fmt"
)

func main() {
    validator := crunchy.NewValidator()

    err := validator.Check("12345678")
    if err != nil {
        fmt.Printf("The password '12345678' is considered unsafe: %v\n", err)
    }

    err = validator.Check("[email protected]")
    if dicterr, ok := err.(*crunchy.DictionaryError); ok {
        fmt.Printf("The password '[email protected]' is too similar to dictionary word '%s' (distance %d)\n",
            dicterr.Word, dicterr.Distance)
    }

    err = validator.Check("d1924ce3d0510b2b2b4604c99453e2e1")
    if err == nil {
        // Password is considered acceptable
        ...
    }
}

Custom Options

package main

import (
	"github.com/muesli/crunchy"
	"fmt"
)

func main() {
    validator := crunchy.NewValidatorWithOpts(crunchy.Options{
        // MinLength is the minimum length required for a valid password
        // (must be >= 1, default is 8)
        MinLength: 10,

        // MinDiff is the minimum amount of unique characters required for a valid password
        // (must be >= 1, default is 5)
        MinDiff: 8,

        // MinDist is the minimum WagnerFischer distance for mangled password dictionary lookups
        // (must be >= 0, default is 3)
        MinDist: 4,

        // Hashers will be used to find hashed passwords in dictionaries
        Hashers: []hash.Hash{md5.New(), sha1.New(), sha256.New(), sha512.New()},

        // DictionaryPath contains all the dictionaries that will be parsed
        // (default is /usr/share/dict)
        DictionaryPath: "/var/my/own/dicts",

        // MustContainDigit is a flag to require at least one digit for a valid password
        // (default is false)
        MustContainDigit: true,

        // MustContainSymbol is a flag to require at least one special symbol for a valid password
        // (default is false)
        MustContainSymbol: true,

	// Check haveibeenpwned.com database
	// Default is false
	CheckHIBP: true,
    })
    ...
}
Issues
  • Remove defer Statement

    Remove defer Statement

    This small patch removes a defer statement inside of a for loop and calls Close after the scanner is done reading the file.

    bug 
    opened by gsquire 7
  • Added support for haveibeenpwned.com

    Added support for haveibeenpwned.com

    Hello, this PR adds support for https://haveibeenpwned.com. In cases when you want to check multiple passwords, you should sleep 1.5 second between requests because API is rate limiting

    opened by lateralusd 4
  • Prevent DoS by using timeouts in HTTP calls

    Prevent DoS by using timeouts in HTTP calls

    The default HTTP client does not enforce any timeouts. This task is left to the user. Not doing so leaves one vulnerable to denial of service attacks. A more probable scenario might be a downtime of HIBP and hanging / blocking programs using crunchy.

    The HttpClient variable is exported to enable users to change the default timeouts

    opened by KEANO89 3
  • Bump Go versions

    Bump Go versions

    null

    opened by HaraldNordgren 1
  • Release a new version

    Release a new version

    There have been few changes since the last release - https://github.com/muesli/crunchy/compare/v0.1...HEAD.

    Would it be possible to tag a new version with them?

    I am trying to package crunchy for Debian as part of packaging of https://github.com/gopasspw/gopass/

    opened by balasankarc 1
  • Add GitHub workflow

    Add GitHub workflow

    Sadly supporting versions <1.11.x is a bit annoying with the current actions/setup-go flow.

    opened by muesli 1
  • Reduce memory footprint indexing dictionaries

    Reduce memory footprint indexing dictionaries

    This is a preliminary attempt to reduce crunchy's memory footprint when used with very large dictionary files.

    Started as https://github.com/gopasspw/gopass/issues/1261

    enhancement 
    opened by rafasc 1
  • Add MustContainDigit and MustContainSymbol flags to the Option struct

    Add MustContainDigit and MustContainSymbol flags to the Option struct

    This PR extends the crunchy.Options struct to improve the password requirements options. Two new flags are added: MustContainDigit - if set to true, the password must contain at least one digit to be valid. (default is false) MustContainSymbol - if set to true, the password must contain to contain at least one special symbol to be valid. (default is false)

    enhancement 
    opened by morangolan 1
  • Use concurrency to check mangled passwords

    Use concurrency to check mangled passwords

    This is part of an attempt to improve crunchy's performance.

    This PR focuses on improving the mangled password checks by using concurrency to speed up the search.

    $ benchstat before after 
    name                   old time/op  new time/op  delta
    ValidatePassword-8      41.3s ± 1%   29.7s ± 1%  -28.12%  (p=0.000 n=8+8)
    FoundInDictionaries-8   11.8s ± 1%    4.4s ± 1%  -62.24%  (p=0.000 n=8+8)
    

    Hashing will be next

    opened by rafasc 2
  • Ability to load dictionaries in memory

    Ability to load dictionaries in memory

    At the moment it is only possible to load dictionaries from disk. This precludes storing dictionaries in a database or other more easily updated location that an application could load from on startup.

    Would there be any objections to exposing the inner for loop body of the indexDictionaries func outside of the package so that the dictionary could be populated by whatever is convenient for the developer with a caveat that it is not safe to call that function concurrently with any other aspect of the application (or a rwmutex to enforce that this is the case).

    opened by nvx 1
Releases(v0.4.0)
  • v0.4.0(Apr 10, 2020)

  • v0.1.0(Jan 30, 2020)

    Finds common flaws in passwords. Like cracklib, but written in Go.

    Detects:

    • Empty passwords: ErrEmpty
    • Too short passwords: ErrTooShort
    • Too few different characters, like "aabbccdd": ErrTooFewChars
    • Systematic passwords, like "abcdefgh" or "87654321": ErrTooSystematic
    • Passwords from a dictionary / wordlist: ErrDictionary
    • Mangled / reversed passwords, like "[email protected]" or "drowssap": ErrMangledDictionary
    • Hashed dictionary words, like "5f4dcc3b5aa765d61d8327deb882cf99" (the md5sum of "password"): ErrHashedDictionary
    Source code(tar.gz)
    Source code(zip)
  • v0.3.0(Jan 29, 2020)

  • v0.2.0(Apr 18, 2019)

Owner
Christian Muehlhaeuser
Geek, Gopher, Software Developer, Maker, Opensource Advocate, Tech Enthusiast, Photographer, Board and Card Gamer
Christian Muehlhaeuser
Decrypt passwords/cookies/history/bookmarks from the browser.

hack-browser-data is an open-source tool that could help you decrypt data ( passwords|bookmarks|cookies|history ) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.

ᴍᴏᴏɴD4ʀᴋ 3.4k Jul 24, 2021
hack-browser-data is an open-source tool that could help you decrypt data from the browser.

hack-browser-data is an open-source tool that could help you decrypt data ( password|bookmark|cookie|history|credit card|download

idiotc4t 73 Jul 19, 2021
go seof: Simple Encrypted os.File

Encrypted implementation of golang' os.File. It handles WriteAt, Seek, Truncate, etc. Can deal with huge files, random access, etc.

Ed Riccardi 44 May 11, 2021
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP

sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (demo)

Mozilla 7.9k Jul 17, 2021
DERO Homomorphic Encryption Blockchain Protocol

Homomorphic encryption is a form of encryption allowing one to perform calculations on encrypted data without decrypting it first. The result of the computation is in an encrypted form, when decrypted the output is the same as if the operations had been performed on the unencrypted data.

null 30 Jul 25, 2021
Windows helpers for GnuPG tools suite - OpenSSH, WSL 1, WSL2, Cygwin, MSYS2, Git4Windows, Putty...

win-gpg-agent Simple set of tools to make working with GPG and SSH keys easier on Windows 10. Windows 10 has ssh-agent service (with support for persi

rupor 54 Jul 9, 2021
DERO: Secure, Anonymous Blockchain with Smart Contracts. Subscribe to Dero announcements by sending mail to [email protected] with subject: subscribe announcements

Welcome to the Dero Project DERO News Forum Wiki Explorer Source Twitter Discord Github Stats WebWallet Medium Table of Contents ABOUT DERO PROJECT DE

null 231 Jul 13, 2021
Tooling to validate HTTPS Certificates and Connections Around Web 🕷️

Cassler - SSL Validator Tool If your read fast, it's sounds like "Cassia Eller" Tooling to validate HTTPS Certificates and Connections Around Web ??️

Matheus Fidelis 47 Jul 6, 2021
The bare metal Go smart card

Authors Andrea Barisani [email protected] | [email protected] Introduction The GoKey application implements a USB smartcard in pure Go

F-Secure Foundry 106 Jul 13, 2021
A simple and lightweight encrypted password manager written in Go.

Osiris Password Manager A simple and lightweight encrypted password manager written in Go

null 33 May 31, 2021
Gopass Browser Bindings

JSON API gopass-jsonapi enables communication with gopass via JSON messages. This is particularly useful for browser plugins like gopassbridge running

Gopass 15 May 25, 2021
🔐 Share end-to-end encrypted secrets with others via a one-time URL

If you use this repo, star it ✨ ?? Share end-to-end encrypted secrets with others via a one-time URL Use to securely share API Keys, Signing secrets,

Sniptt 20 Jul 19, 2021
🔐 Share end-to-end encrypted secrets with others via a one-time URL

If you use this repo, star it ✨ ?? Share end-to-end encrypted secrets with others via a one-time URL Use to securely share API Keys, Signing secrets,

Sniptt 41 Jul 22, 2021
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑

simple-scrypt simple-scrypt provides a convenience wrapper around Go's existing scrypt package that makes it easier to securely derive strong keys ("h

Matt Silverlock 172 Jul 12, 2021