zxcvbn password complexity algorithm in golang
Go to file
Nathan Button fa2cb28583
Merge pull request #38 from lpmi-13/update_links
update original motivation link, plus http to https
2021-02-16 19:23:36 -07:00
.circleci Golint is not in the golang image, for now i will add it to the config while I research if there is an image where its included 2018-08-30 15:16:50 -06:00
adjacency Fix some small preformance issues as well as get lint passing 2018-08-28 21:25:31 -06:00
data Fix some small preformance issues as well as get lint passing 2018-08-28 21:25:31 -06:00
entropy Fix some small preformance issues as well as get lint passing 2018-08-28 21:25:31 -06:00
frequency go format + make testapp take input 2018-09-12 15:04:35 +02:00
fuzz Add comment for fuzz 2018-08-30 15:05:50 -06:00
match go format + make testapp take input 2018-09-12 15:04:35 +02:00
matching go format + make testapp take input 2018-09-12 15:04:35 +02:00
scoring Fix some small preformance issues as well as get lint passing 2018-08-28 21:25:31 -06:00
testapp Use loop on testapp until exit to allow the user continuous 2020-12-21 17:18:23 -05:00
utils/math Fix some small preformance issues as well as get lint passing 2018-08-28 21:25:31 -06:00
.gitignore fix godep references in test 2016-05-29 15:52:34 -06:00
LICENSE.txt Update LICENSE.txt 2015-10-06 14:11:02 -06:00
Makefile Makefile 2018-08-30 14:53:10 -06:00
README.md update original motivation link, plus http to https 2021-02-15 10:42:53 +00:00
go.mod Switch to using modules instead of vendor 2020-12-21 17:20:45 -05:00
go.sum Switch to using modules instead of vendor 2020-12-21 17:20:45 -05:00
zxcvbn.go Fix some small preformance issues as well as get lint passing 2018-08-28 21:25:31 -06:00
zxcvbn_test.go go format + make testapp take input 2018-09-12 15:04:35 +02:00

README.md

This is a goLang port of python-zxcvbn and zxcvbn, which are python and JavaScript password strength generators. zxcvbn attempts to give sound password advice through pattern matching and conservative entropy calculations. It finds 10k common passwords, common American names and surnames, common English words, and common patterns like dates, repeats (aaa), sequences (abcd), and QWERTY patterns.

Please refer to https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation for the full details and motivation behind zxcbvn. The source code for the original JavaScript (well, actually CoffeeScript) implementation can be found at:

https://github.com/lowe/zxcvbn

Python at:

https://github.com/dropbox/python-zxcvbn

For full motivation, see:

https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation


Use

The zxcvbn module has the public method PasswordStrength() function. Import zxcvbn, and call PasswordStrength(password string, userInputs []string). The function will return a result dictionary with the following keys:

Entropy # bits

CrackTime # estimation of actual crack time, in seconds.

CrackTimeDisplay # same crack time, as a friendlier string: # "instant", "6 minutes", "centuries", etc.

Score # [0,1,2,3,4] if crack time is less than # [10^2, 10^4, 10^6, 10^8, Infinity]. # (useful for implementing a strength bar.)

MatchSequence # the list of patterns that zxcvbn based the # entropy calculation on.

CalcTime # how long it took to calculate an answer, # in milliseconds. usually only a few ms.

The userInputs argument is an splice of strings that zxcvbn will add to its internal dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes the user's personal info can be heavily penalized. This list is also good for site-specific vocabulary.

Bug reports and pull requests welcome!


Project Status

Use zxcvbn_test.go to check how close to feature parity the project is.


Acknowledgment

Thanks to Dan Wheeler (https://github.com/lowe) for the CoffeeScript implementation (see above.) To repeat his outside acknowledgements (which remain useful, as always):

Many thanks to Mark Burnett for releasing his 10k top passwords list: https://xato.net/passwords/more-top-worst-passwords and for his 2006 book, "Perfect Passwords: Selection, Protection, Authentication"

Huge thanks to Wiktionary contributors for building a frequency list of English as used in television and movies: https://en.wiktionary.org/wiki/Wiktionary:Frequency_lists

Last but not least, big thanks to xkcd :) https://xkcd.com/936/