GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → wagslane → Go Password Validator

wagslane / Go Password Validator

Licence: mit
Validate the Strength of a Password in Go

Programming Languages

go
31211 projects - #10 most used programming language
golang
3204 projects

Labels

securitycharacter

Projects that are alternatives of or similar to Go Password Validator

J2N
Java-like Components for .NET
Stars: ✭ 37 (-85.93%)
Mutual labels:  character
character-extraction
Extracts character names from a text file and performs analysis of text sentences containing the names.
Stars: ✭ 40 (-84.79%)
Mutual labels:  character
rulid.rs
Rust Universally Unique Lexicographically Sortable Identifier
Stars: ✭ 40 (-84.79%)
Mutual labels:  character
gonvert
Golang character encoding converter with an automatic code-estimation.
Stars: ✭ 24 (-90.87%)
Mutual labels:  character
this-is-your-life
An angular app character backstories based on the Xanathar's Guide to Everything 'This Is Your Life' tables.
Stars: ✭ 36 (-86.31%)
Mutual labels:  character
animec
A module to get data about anime characters, news, info, lyrics and more.
Stars: ✭ 31 (-88.21%)
Mutual labels:  character
Stringformatter
Simple Text Formetter (Credit Card Number, Phone Number, Serial Number etc.) Can be used in all text inputs according to the format pattern. If desired, large minor character restrictions can be made in the format pattern.
Stars: ✭ 231 (-12.17%)
Mutual labels:  character
AmimeWatch
Telegram bot made in Python 3 using the @pyrogram framework.
Stars: ✭ 19 (-92.78%)
Mutual labels:  character
Godot FPC Base
A first person camera base project for Godot 3.x to help anyone get a jumpstart.
Stars: ✭ 39 (-85.17%)
Mutual labels:  character
ThirdPersonController
Simple 3rd person controller demonstrating camera-relative movement and the new Cinemachine 3rd Person Follow / Aim system
Stars: ✭ 15 (-94.3%)
Mutual labels:  character
Characters of the Three Kingdoms
3️⃣ Characters of the Three Kingdoms - 三国人物结构化数据
Stars: ✭ 100 (-61.98%)
Mutual labels:  character
dialectID siam
Dialect identification using Siamese network
Stars: ✭ 15 (-94.3%)
Mutual labels:  character
ProjectKaya
Project Kaya for mobile game platform
Stars: ✭ 324 (+23.19%)
Mutual labels:  character
Character12
DirectX 12 character animation and rendering. Note: currently, there is no AA deployed in this sample, because it originally worked with temporal AA in my full scene rendering; please use AA settings in the panel provided by your graphics-card vendor for a better visualization.
Stars: ✭ 19 (-92.78%)
Mutual labels:  character
urdu-characters
📄 Complete collection of Urdu language characters & unicode code points.
Stars: ✭ 24 (-90.87%)
Mutual labels:  character
lua-wcwidth
Pure Lua implementation of the wcwidth() function
Stars: ✭ 14 (-94.68%)
Mutual labels:  character
unihandecode
unihandecode is a transliteration library to convert all characters/words in Unicode into ASCII alphabet that aware with Language preference priorities
Stars: ✭ 71 (-73%)
Mutual labels:  character
Duik-15
Duduf IK & Animation Tools for Adobe After Effects
Stars: ✭ 156 (-40.68%)
Mutual labels:  character
Adafruit CircuitPython CharLCD
Library code for character LCD interfacing
Stars: ✭ 54 (-79.47%)
Mutual labels:  character
Cinelights
Example project using Lighting tools package and Cine lights package for Unity.
Stars: ✭ 23 (-91.25%)
Mutual labels:  character
View All Similar Projects ➔

go-password-validator

Simple password validator using raw entropy values. Hit the project with a star if you find it useful ⭐

Supported by Qvault

Deploy Mentioned in Awesome Go

This project can be used to front a password strength meter, or simply validate password strength on the server. Benefits:

  • No stupid rules (doesn't require uppercase, numbers, special characters, etc)
  • Everything is based on entropy (raw cryptographic strength of the password)
  • Doesn't load large sets of data into memory - very fast and lightweight
  • Doesn't contact any API's or external systems
  • Inspired by this XKCD

XKCD Passwords

⚙️ Installation

Outside of a Go module:

go get github.com/wagslane/go-password-validator

🚀 Quick Start

package main

import (
    passwordvalidator "github.com/wagslane/go-password-validator"
)

func main(){
    entropy := passwordvalidator.GetEntropy("a longer password")
    // entropy is a float64, representing the strength in base 2 (bits)

    const minEntropyBits = 60
    err := passwordvalidator.Validate("some password", minEntropyBits)
    // if the password has enough entropy, err is nil
    // otherwise, a formatted error message is provided explaining
    // how to increase the strength of the password
    // (safe to show to the client)
}

What Entropy Value Should I Use?

It's up to you. That said, here is a graph that shows some common timings for different values, somewhere in the 50-70 range seems "reasonable".

Keep in mind that attackers likely aren't just brute-forcing passwords, if you want protection against common passwords or PWNed passwords you'll need to do additional work. This library is lightweight, doesn't load large datasets, and doesn't contact external services.

entropy

How It Works

First, we determine the "base" number. The base is a sum of the different "character sets" found in the password.

We've arbitrarily chosen the following character sets:

  • 26 lowercase letters
  • 26 uppercase letters
  • 10 digits
  • 5 replacement characters - [email protected]$&*
  • 5 seperator characters - _-.,
  • 22 less common special characters - "#%'()+/:;<=>?[\]^{|}~

Using at least one character from each set your base number will be 94: 26+26+10+5+5+22 = 94

Every unique character that doesn't match one of those sets will add 1 to the base.

If you only use, for example, lowercase letters and numbers, your base will be 36: 26+10 = 36.

After we have calculated a base, the total number of brute-force-guesses is found using the following formulae: base^length

A password using base 26 with 7 characters would require 26^7, or 8031810176 guesses.

Once we know the number of guesses it would take, we can calculate the actual entropy in bits using log2(guesses). That calculation is done in log space in practice to avoid numeric overflow.

Additional Safety

We try to err on the side of reporting less entropy rather than more.

Same Character

With repeated characters like aaaaaaaaaaaaa, or 111222, we modify the length of the sequence to count as no more than 2.

  • aaaa has length 2
  • 111222 has length 4

Common Sequences

Common sequences of length three or greater count as length 2.

  • 12345 has length 2
  • 765432 has length 2
  • abc has length 2
  • qwerty has length 2

The sequences are checked from back->front and front->back. Here are the sequences we've implemented so far, and they're case-insensitive:

  • 0123456789
  • qwertyuiop
  • asdfghjkl
  • zxcvbnm
  • abcdefghijklmnopqrstuvwxyz

Not ZXCVBN

There's another project that has a similar purpose, zxcvbn, and you may want to check it out as well. Our goal is not to be zxcvbn, because it's already good at what it does. go-password-validator doesn't load any large datasets of real-world passwords, we write simple rules to calculate an entropy score. It's up to the user of this library to decide how to use that entropy score, and what scores constitute "secure enough" for their application.

💬 Contact

Twitter Follow

Submit an issue (above in the issues tab)

Transient Dependencies

None! And it will stay that way, except of course for the standard library.

👏 Contributing

I love help! Contribute by forking the repo and opening pull requests. Please ensure that your code passes the existing tests and linting, and write tests to test your changes if applicable.

All pull requests should be submitted to the main branch.

make test
make fmt
make vet
make lint
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].