Validate the Strength of a Password in Go

Overview

go-password-validator

Simple password validator using raw entropy values. Hit the project with a star if you find it useful

Supported by Qvault

Deploy Mentioned in Awesome Go

This project can be used to front a password strength meter, or simply validate password strength on the server. Benefits:

  • No stupid rules (doesn't require uppercase, numbers, special characters, etc)
  • Everything is based on entropy (raw cryptographic strength of the password)
  • Doesn't load large sets of data into memory - very fast and lightweight
  • Doesn't contact any API's or external systems
  • Inspired by this XKCD

XKCD Passwords

⚙️ Installation

Outside of a Go module:

go get github.com/wagslane/go-password-validator

🚀 Quick Start

package main

import (
    passwordvalidator "github.com/wagslane/go-password-validator"
)

func main(){
    entropy := passwordvalidator.GetEntropy("a longer password")
    // entropy is a float64, representing the strength in base 2 (bits)

    const minEntropyBits = 60
    err := passwordvalidator.Validate("some password", minEntropyBits)
    // if the password has enough entropy, err is nil
    // otherwise, a formatted error message is provided explaining
    // how to increase the strength of the password
    // (safe to show to the client)
}

What Entropy Value Should I Use?

It's up to you. That said, here is a graph that shows some common timings for different values, somewhere in the 50-70 range seems "reasonable".

Keep in mind that attackers likely aren't just brute-forcing passwords, if you want protection against common passwords or PWNed passwords you'll need to do additional work. This library is lightweight, doesn't load large datasets, and doesn't contact external services.

entropy

How It Works

First, we determine the "base" number. The base is a sum of the different "character sets" found in the password.

We've arbitrarily chosen the following character sets:

  • 26 lowercase letters
  • 26 uppercase letters
  • 10 digits
  • 5 replacement characters - [email protected]$&*
  • 5 seperator characters - _-.,
  • 22 less common special characters - "#%'()+/:;<=>?[\]^{|}~

Using at least one character from each set your base number will be 94: 26+26+10+5+5+22 = 94

Every unique character that doesn't match one of those sets will add 1 to the base.

If you only use, for example, lowercase letters and numbers, your base will be 36: 26+10 = 36.

After we have calculated a base, the total number of brute-force-guesses is found using the following formulae: base^length

A password using base 26 with 7 characters would require 26^7, or 8031810176 guesses.

Once we know the number of guesses it would take, we can calculate the actual entropy in bits using log2(guesses). That calculation is done in log space in practice to avoid numeric overflow.

Additional Safety

We try to err on the side of reporting less entropy rather than more.

Same Character

With repeated characters like aaaaaaaaaaaaa, or 111222, we modify the length of the sequence to count as no more than 2.

  • aaaa has length 2
  • 111222 has length 4

Common Sequences

Common sequences of length three or greater count as length 2.

  • 12345 has length 2
  • 765432 has length 2
  • abc has length 2
  • qwerty has length 2

The sequences are checked from back->front and front->back. Here are the sequences we've implemented so far, and they're case-insensitive:

  • 0123456789
  • qwertyuiop
  • asdfghjkl
  • zxcvbnm
  • abcdefghijklmnopqrstuvwxyz

Not ZXCVBN

There's another project that has a similar purpose, zxcvbn, and you may want to check it out as well. Our goal is not to be zxcvbn, because it's already good at what it does. go-password-validator doesn't load any large datasets of real-world passwords, we write simple rules to calculate an entropy score. It's up to the user of this library to decide how to use that entropy score, and what scores constitute "secure enough" for their application.

💬 Contact

Twitter Follow

Submit an issue (above in the issues tab)

Transient Dependencies

None! And it will stay that way, except of course for the standard library.

👏 Contributing

I love help! Contribute by forking the repo and opening pull requests. Please ensure that your code passes the existing tests and linting, and write tests to test your changes if applicable.

All pull requests should be submitted to the main branch.

make test
make fmt
make vet
make lint
Issues
  • Add error to Validate if password is common

    Add error to Validate if password is common

    Inspired by how bad pattern locks are on phones, I added some code to count continuous (or maybe contiguous) pattern lengths as 0.

    If you swipe your finger across your keyboard, in any direction, along the red lines in this image, it will be length 0.

    Please let me know which changes you'd like to see and if these additions are appropriate. Disallowing patterns may count as one of those stupid rules. :smiley:

    opened by f0nkey 3
  • Adress issues raised by staticcheck and add it to workflow

    Adress issues raised by staticcheck and add it to workflow

    Staticcheck is a wonderful tool for performing static analysis of Go programs. This PR addresses all the issues (3 to be exact) that it mentioned and also adds it to the workflow for further checks in the future. I also updated the checkout action to v2 which most importantly has some performance work :)

    opened by Jacalz 2
  •  passwordvalidator.Validate always return nil error, even when the supplied password is well below min entropy

    passwordvalidator.Validate always return nil error, even when the supplied password is well below min entropy

    Describe the bug Validate method always returns nil error, even when password entropy is less than minimum entropy

    To Reproduce No additional steps required, it is a main line usecase. try with password as "123" with minimum entropy as 60 func strongPass(password string) error { const minEntropyBits = 60 err := passwordvalidator.Validate(password, minEntropyBits) return err }

    The problem is the following code, when you return error object it is nil to calling function, as the call fmt.Errorf it is by value and is lost on return.

    if len(allMessages) > 0 {
    	return fmt.Errorf(
    		"insecure password, try %v or using a longer password",
    		strings.Join(allMessages, ", "),
    	)
    }
    

    Expected behavior Should return an error.

    Screenshots None

    Environment (please complete the following information):

    • OS: Mac OSX

    Additional context None

    opened by satish71 1
  • 10001010101010101001110101010101010101010101010101010101 should be secure

    10001010101010101001110101010101010101010101010101010101 should be secure

    So the password 1010101010101011101101000000010111011011101001010001001101011011 is calculated as only having a length of "2" and a base of 10. So it would be about 6 bits according to this. But the generation method clearly is generating a binary string with length 64, for a total of 64 bits of entropy.

    opened by wagslane 1
  • Allow configuration such as error messages and character sets

    Allow configuration such as error messages and character sets

    Is your feature request related to a problem? Please describe.

    I was looking around if we have any go packages to handle password strength validation and I stumbled upon this. I do like the idea behind this and I have a few suggestions that may come in handy:

    • Allow custom error messages or expand the validate function to provide analytical data which can be used to determine error messages outside of the package (the primary idea of this is to allow i18n).
    • Allow the validator to be configured with custom character sets or programmatically determine used character sets to support use cases that would require characters outside of the baked-in character sets.

    Describe the solution you'd like

    My first point should be straightforward on how it could be implemented; something in the lines of returning a struct which outlines the boolean flags used internally (hasReplace, hasLower, ...).

    For the second one, I am quite unsure on how (if even possible) to implement as changes to the character sets would affect the entropy and what level would be considered secure (the table in your README).

    Is this something you would consider your package to support? With your insight and if we decide to use this approach for Corteza, I can assist with the implementation.

    opened by tjerman 2
Releases(v0.2.0)
  • v0.2.0(Dec 31, 2020)

    The major updates were:

    • Penalize sequences in passwords. E.g. 123456 only counts as length 2.
    • Don't penalize the use of the same character if it's not repeating. E.g. 00100001011111000 becomes 00100101100
    • Break special characters up into three groups, where the most common ones don't add as much entropy.
    Source code(tar.gz)
    Source code(zip)
Owner
Lane Wagner
I like Go and Rust, and I tolerate JavaScript and Python. @wagslane on twitter.
Lane Wagner
This is a tool to validate the Pull Secret file from the command line interface.

pullsecret-validator-cli Description This is a tool to validate the Pull Secret file from the command line interface. This repository and its contents

Red Hat Systems Engineering Team 4 May 10, 2022
This project is a Library to validate a pull secret

lib-ps-validator Description This repository and its contents are completely UNSUPPORTED in any way and are not part of official documentation. Lib to

Red Hat Systems Engineering Team 3 Jul 21, 2021
A demo project shows how to use validator to validate parameters

validator-demo This project is a demo project shows how to use validator to validate parameters use case install requirements go get github.com/favadi

ziyi.wang 1 Jan 10, 2022
🥬 validate. simply.

?? validate. simply. no reflection. no gencode. hierarchical and extendable. fast. ~100LOC. generics. This is convenient when you have custom validati

Nikolay Dubina 13 Apr 25, 2022
Validate the Strength of a Password in Go

go-password-validator Simple password validator using raw entropy values. Hit the project with a star if you find it useful ⭐ Supported by Qvault This

Lane Wagner 340 Jun 10, 2022
eval the strength of a password

mpasswordeval eval the strength of a password 校验密码的安全性 包含以下几点校验 常规规则校验 密码长度 (必须指定) 是否包含数字 是否包含大写字母 是否包含小写字母 是否包含特殊符号 是否通过zxcvbn 是否通过pwned 是否在常用弱密码 使用示

jiamingm 2 Apr 12, 2022
Passwordstrength - Returns the strength of the password

passwordstrength service returns the strength of the password. Developer Setup A

Sachin Mahajan 0 Dec 30, 2021
A password manager as a CLI, where you can use a master password to retrieve a specified password and store it in your clipboard

Password manager Description CLI to store and retrieve passwords. The retrieved password will be stored on your clipboard! Usage 1.Start with Go go ru

Lorenzo Costa 2 Dec 16, 2021
Traefik config validator: a CLI tool to (syntactically) validate your Traefik configuration filesTraefik config validator: a CLI tool to (syntactically) validate your Traefik configuration files

Traefik Config Validator Note This is currently pre-release software. traefik-config-validator is a CLI tool to (syntactically) validate your Traefik

Thomas Klinger 0 Dec 16, 2021
Time-Based One-Time Password (TOTP) and HMAC-Based One-Time Password (HOTP) library for Go.

otpgo HMAC-Based and Time-Based One-Time Password (HOTP and TOTP) library for Go. Implements RFC 4226 and RFC 6238. Contents Supported Operations Read

Jose Torres 35 Jun 23, 2022
Chrome-Password-Dumper - Chrome password dumper written in Go for Linux and Windows

Chrome-Password-Dumper Chrome password dumper written in Go for Linux and Window

null 5 May 25, 2022
Library providing routines to merge and validate JSON, YAML and/or TOML files

CONFLATE Library providing routines to merge and validate JSON, YAML, TOML files and/or structs (godoc) Typical use case: Make your application config

Andy 25 May 5, 2022
Govalid is a data validation library that can validate most data types supported by golang

Govalid is a data validation library that can validate most data types supported by golang. Custom validators can be used where the supplied ones are not enough.

null 61 Apr 22, 2022
Validate Golang request data with simple rules. Highly inspired by Laravel's request validation.

Validate golang request data with simple rules. Highly inspired by Laravel's request validation. Installation Install the package using $ go get githu

Saddam H 1.1k Jun 26, 2022
Validate Django auth session in Golang

GoDjangoSession Valid for django 3.0.5 Usage: package main import ( "encoding/base64" "fmt" "session/auth" "github.com/Kuzyashin/GoDjangoSession"

Alexey Kuzyashin 26 Feb 13, 2022
vjson is a Go package that helps to validate JSON objects in a declarative way.

vjson vjson is a Go package that helps to validate JSON objects in a declarative way. Getting Started Installing For installing vjson, use command bel

Milad Ebrahimi 30 May 27, 2022
Tooling to validate HTTPS Certificates and Connections Around Web 🕷️

Cassler - SSL Validator Tool If your read fast, it's sounds like "Cassia Eller" Tooling to validate HTTPS Certificates and Connections Around Web ??️

Matheus Fidelis 49 Apr 1, 2022
Go module to validate Apple app attestations and assertions.

AppAttest Since iOS 14, Apple offers a new way to attest the integrity of a device. This is based on the WebAuthn specification. This go module implem

Bas Doorn 7 Apr 12, 2022
NoColor — validate the architecture of your PHP project

NoColor is an architecture validation tool based on the concept of colored functions. This concept was originally invented for KPHP and later exposed as a separate tool to be used in regular PHP projects.

VK.com 134 Jun 8, 2022
The new home of the CUE language! Validate and define text-based and dynamic configuration

The CUE Data Constraint Language Configure, Unify, Execute CUE is an open source data constraint language which aims to simplify tasks involving defin

null 2.6k Jun 19, 2022
This is a tool to validate the Pull Secret file from the command line interface.

pullsecret-validator-cli Description This is a tool to validate the Pull Secret file from the command line interface. This repository and its contents

Red Hat Systems Engineering Team 4 May 10, 2022
This project is a Library to validate a pull secret

lib-ps-validator Description This repository and its contents are completely UNSUPPORTED in any way and are not part of official documentation. Lib to

Red Hat Systems Engineering Team 3 Jul 21, 2021
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

chenk 5 Feb 5, 2022
A golang library to validate and format swiss social security numbers

s3n is a golang library to validate and format swiss social security numbers (aka. AVS in french and AHV in german).

Julien M'Poy 0 Nov 15, 2021
EU Digital Covid Certificate utilities in Go [Create, Validate and Parse Green-Pass/EU-DCC]

go-dcc EU Digital Covid Certificate utilities in Go [Create, Validate and Parse Green-Pass/EU-DCC] Repo work in-progress CLI Usage: ######Create and S

Francesco 1 Dec 23, 2021
A demo project shows how to use validator to validate parameters

validator-demo This project is a demo project shows how to use validator to validate parameters use case install requirements go get github.com/favadi

ziyi.wang 1 Jan 10, 2022
A simple webdev utility program that allows developers to quickly validate and format JSON code

Toolbox CLI A simple webdev utility program that allows developers to quickly validate and format JSON code, convert from UNIX epoch to timestamp and

Vlad Costea 0 Jan 4, 2022
Example to validate performance using append or not in golang

benchtest-arr-go This code is a example to validate performance using append or not in golang result benchtests go test -benchmem -bench . goos: darwi

Renan Bastos 1 Jan 10, 2022