Finds common flaws in passwords. Like cracklib, but written in Go.

Overview

crunchy

Latest Release GoDoc Build Status Coverage Status Go ReportCard

Finds common flaws in passwords. Like cracklib, but written in Go.

Detects:

  • ErrEmpty: Empty passwords
  • ErrTooShort: Too short passwords
  • ErrNoDigits: Password does not contain any digits
  • ErrNoSymbols: Password does not contain any special characters
  • ErrTooFewChars: Too few different characters, like "aabbccdd"
  • ErrTooSystematic: Systematic passwords, like "abcdefgh" or "87654321"
  • ErrDictionary: Passwords from a dictionary / wordlist
  • ErrMangledDictionary: Mangled / reversed passwords, like "[email protected]" or "drowssap"
  • ErrHashedDictionary: Hashed dictionary words, like "5f4dcc3b5aa765d61d8327deb882cf99" (the md5sum of "password")
  • ErrFoundHIBP: Optional hash checks against the haveibeenpwned.com database

Your system dictionaries from /usr/share/dict will be indexed. If no dictionaries were found, crunchy only relies on the regular sanity checks (ErrEmpty, ErrTooShort, ErrTooFewChars and ErrTooSystematic). On Ubuntu it is recommended to install the wordlists distributed with cracklib-runtime, on macOS you can install cracklib-words from brew. You could also install various other language dictionaries or wordlists, e.g. from skullsecurity.org.

crunchy uses the WagnerFischer algorithm to find mangled passwords in your dictionaries.

Installation

Make sure you have a working Go environment (Go 1.2 or higher is required). See the install instructions.

To install crunchy, simply run:

go get github.com/muesli/crunchy

Example

package main

import (
	"github.com/muesli/crunchy"
	"fmt"
)

func main() {
    validator := crunchy.NewValidator()

    err := validator.Check("12345678")
    if err != nil {
        fmt.Printf("The password '12345678' is considered unsafe: %v\n", err)
    }

    err = validator.Check("[email protected]")
    if dicterr, ok := err.(*crunchy.DictionaryError); ok {
        fmt.Printf("The password '[email protected]' is too similar to dictionary word '%s' (distance %d)\n",
            dicterr.Word, dicterr.Distance)
    }

    err = validator.Check("d1924ce3d0510b2b2b4604c99453e2e1")
    if err == nil {
        // Password is considered acceptable
        ...
    }
}

Custom Options

package main

import (
	"github.com/muesli/crunchy"
	"fmt"
)

func main() {
    validator := crunchy.NewValidatorWithOpts(crunchy.Options{
        // MinLength is the minimum length required for a valid password
        // (must be >= 1, default is 8)
        MinLength: 10,

        // MinDiff is the minimum amount of unique characters required for a valid password
        // (must be >= 1, default is 5)
        MinDiff: 8,

        // MinDist is the minimum WagnerFischer distance for mangled password dictionary lookups
        // (must be >= 0, default is 3)
        MinDist: 4,

        // Hashers will be used to find hashed passwords in dictionaries
        Hashers: []hash.Hash{md5.New(), sha1.New(), sha256.New(), sha512.New()},

        // DictionaryPath contains all the dictionaries that will be parsed
        // (default is /usr/share/dict)
        DictionaryPath: "/var/my/own/dicts",

        // MustContainDigit is a flag to require at least one digit for a valid password
        // (default is false)
        MustContainDigit: true,

        // MustContainSymbol is a flag to require at least one special symbol for a valid password
        // (default is false)
        MustContainSymbol: true,

	// Check haveibeenpwned.com database
	// Default is false
	CheckHIBP: true,
    })
    ...
}
Comments
  • Added support for haveibeenpwned.com

    Added support for haveibeenpwned.com

    Hello, this PR adds support for https://haveibeenpwned.com. In cases when you want to check multiple passwords, you should sleep 1.5 second between requests because API is rate limiting

    opened by lateralusd 4
  • Prevent DoS by using timeouts in HTTP calls

    Prevent DoS by using timeouts in HTTP calls

    The default HTTP client does not enforce any timeouts. This task is left to the user. Not doing so leaves one vulnerable to denial of service attacks. A more probable scenario might be a downtime of HIBP and hanging / blocking programs using crunchy.

    The HttpClient variable is exported to enable users to change the default timeouts

    opened by KEANO89 3
  • Add MustContainDigit and MustContainSymbol flags to the Option struct

    Add MustContainDigit and MustContainSymbol flags to the Option struct

    This PR extends the crunchy.Options struct to improve the password requirements options. Two new flags are added: MustContainDigit - if set to true, the password must contain at least one digit to be valid. (default is false) MustContainSymbol - if set to true, the password must contain to contain at least one special symbol to be valid. (default is false)

    enhancement 
    opened by morangolan 1
  • Reduce memory footprint indexing dictionaries

    Reduce memory footprint indexing dictionaries

    This is a preliminary attempt to reduce crunchy's memory footprint when used with very large dictionary files.

    Started as https://github.com/gopasspw/gopass/issues/1261

    enhancement 
    opened by rafasc 1
  • Release a new version

    Release a new version

    There have been few changes since the last release - https://github.com/muesli/crunchy/compare/v0.1...HEAD.

    Would it be possible to tag a new version with them?

    I am trying to package crunchy for Debian as part of packaging of https://github.com/gopasspw/gopass/

    opened by balasankarc 1
  • Use concurrency to check mangled passwords

    Use concurrency to check mangled passwords

    This is part of an attempt to improve crunchy's performance.

    This PR focuses on improving the mangled password checks by using concurrency to speed up the search.

    $ benchstat before after 
    name                   old time/op  new time/op  delta
    ValidatePassword-8      41.3s ± 1%   29.7s ± 1%  -28.12%  (p=0.000 n=8+8)
    FoundInDictionaries-8   11.8s ± 1%    4.4s ± 1%  -62.24%  (p=0.000 n=8+8)
    

    Hashing will be next

    opened by rafasc 2
  • Ability to load dictionaries in memory

    Ability to load dictionaries in memory

    At the moment it is only possible to load dictionaries from disk. This precludes storing dictionaries in a database or other more easily updated location that an application could load from on startup.

    Would there be any objections to exposing the inner for loop body of the indexDictionaries func outside of the package so that the dictionary could be populated by whatever is convenient for the developer with a caveat that it is not safe to call that function concurrently with any other aspect of the application (or a rwmutex to enforce that this is the case).

    opened by nvx 1
Releases(v0.4.0)
  • v0.4.0(Apr 10, 2020)

  • v0.3.0(Jan 30, 2020)

  • v0.2.0(Apr 18, 2019)

  • v0.1.0(Jan 31, 2020)

    Finds common flaws in passwords. Like cracklib, but written in Go.

    Detects:

    • Empty passwords: ErrEmpty
    • Too short passwords: ErrTooShort
    • Too few different characters, like "aabbccdd": ErrTooFewChars
    • Systematic passwords, like "abcdefgh" or "87654321": ErrTooSystematic
    • Passwords from a dictionary / wordlist: ErrDictionary
    • Mangled / reversed passwords, like "[email protected]" or "drowssap": ErrMangledDictionary
    • Hashed dictionary words, like "5f4dcc3b5aa765d61d8327deb882cf99" (the md5sum of "password"): ErrHashedDictionary
    Source code(tar.gz)
    Source code(zip)
Owner
Christian Muehlhaeuser
Geek, Gopher, Software Developer, Maker, Opensource Advocate, Tech Enthusiast, Photographer, Board and Card Gamer
Christian Muehlhaeuser
A fork of fin, but using wail instead of fyne.

Fin, the Fyne Login Manager A minimal but good-looking login manager for Linux/Unix. The current boot scripts support only systemd. If you'd like to t

Tai Groot 2 Nov 16, 2022
Ethereum-vanity-wallet - A fork of https://github.com/meehow/ethereum-vanity-wallet but the key can be exported to a JSON keystore file

ethereum-vanity-wallet See https://github.com/meehow/ethereum-vanity-wallet This version: doesn't display the private key let's you interactively expo

null 0 Jan 2, 2022
A russian roulette-like programme that has a 1/6 chance to delete your OS.

russianRouletteGo russianRouletteGo - a russian roulette-like programme that has a 1/6 chance to delete your OS. Last tested and built in Go 1.17.3 Us

wowil 1 Jan 3, 2022
Miller is like awk, sed, cut, join, and sort for name-indexed data such as CSV, TSV, and tabular JSON

What is Miller? Miller is like awk, sed, cut, join, and sort for data formats such as CSV, TSV, JSON, JSON Lines, and positionally-indexed. What can M

John Kerl 5.8k Nov 20, 2022
A simple and lightweight encrypted password manager written in Go.

Osiris Password Manager A simple and lightweight encrypted password manager written in Go

null 32 Jun 16, 2022
A full node Bitcoin (BSV) implementation written in Go

bsvd bsvd is a full node Bitcoin (BSV) implementation written in Go (golang). This project is a port of the bchd codebase to Bitcoin (BSV). It provide

null 41 Feb 7, 2022
Implementation of the Filecoin protocol, written in Go

Project Lotus - 莲 Lotus is an implementation of the Filecoin Distributed Storage Network. For more details about Filecoin, check out the Filecoin Spec

Filecoin 2.5k Nov 26, 2022
A Binance Chain vanity address generator written in golang.

VaniBNB A Binance Chain vanity address generator written in golang. For example address ending with 0xkat Raw https://github.com/makevoid/vanieth http

undefi.org 8 Sep 9, 2022
A super easy file encryption utility written in go and under 800kb

filecrypt A super easy to use file encryption utility written in golang ⚠ Help Wanted on porting filecrypt to other programing languages NOTE: if you

Flew Software 82 Nov 10, 2022
Gochain is a Blockchain written in go

gochain gochain is a proof-of-work blockchain written in go. Features Proof-Of-Work Persistence CLI Transactions Addresses Merkle Tree Network How to

Jonas Ampferl 8 Jul 14, 2022
TLS/SSL Tunnel - A modern STunnel replacement written in golang

go-tunnel - Robust Quic/TLS Tunnel (Stunnel replacement) What is it? A supercharged Stunnel replacement written in golang. is in a sense a proxy enabl

Sudhi Herle 211 Oct 20, 2022
Stackledger: a new blockchain written in golang

StackLedger Stackledger is a new blockchain. It is written in golang and uses a novel networking stack built from two primitives: channels and extensi

null 1 Feb 21, 2022
A system written in Golang to help ops team to automate the process of mapping Vault groups to LDAP Groups.

A system written in Golang to help ops team to automate the process of mapping Vault groups to LDAP Groups. This utility automatically adds LDAP Groups' members to the corresponding Vault Groups.

Rahul Indra 0 Nov 12, 2021
goBlockChain is a version of the classic blockChain with POW algorithms written in golang.

goBlockChain is a version of the classic blockChain with POW algorithms written in golang. May come in handy when learning about this technology.

Alexandr Primak 1 Oct 31, 2021
Bitcoin CPU miner written in Go.

CPU Miner Bitcoin CPU miner written in Go. Introduction This is a CPU miner written in Go. It is a proof of concept and is not intended for production

Yaroslav Gaponov 0 Jan 6, 2022
Ethconvert: Ethereum unit converter written in golang

ethconvert Ethereum unit converter written in go. Install go get github.com/jon4

Jonah 1 Jul 24, 2022
Full bitcoin solution written in Go (golang)

About Gocoin Gocoin is a full Bitcoin solution written in Go language (golang). The software architecture is focused on maximum performance of the nod

Piotr Narewski 899 Nov 19, 2022
A basic blockchain implementation written in Go

Blockchain Having fun implementing a blockchain using Golang. Using Minimum Viable Blockchain Keys The Blockchain uses ECDSA (224 bits) keys. When a u

Jorge Izquierdo 819 Nov 21, 2022