sethvargo / go-password Goto Github PK

Issues generating passwords. Appears that occasionally the password is generated incorrectly.

Can't determine issue. I've tried with bash, sh, zsh

While generating passwords, some password policies require both uppercase and lowercase letters. If the number of characters specified is low enough, there's a higher likelihood that a password with either no uppercase or no lowercase might be generated.

for example:

found one without uppers: lj<htui904&wgnobm2
found one without lowers: XS4M-VKG3BCQY+ET09
found one without lowers: P<QS8KTN53#BV1CDWY
found one without uppers: eab9ko!i45qc8tmny-
found one without lowers: SH-YC6Q*LBRM4FPD30

If it seems feasible, I'd love to submit a PR to update the behavior to avoid having either no uppercase or no lowercase in the generated strings, but not really sure where to begin. Any pointers much appreciated.

Could you please to make the new release tag for latest master?
It's necessary to reference from go.mod

The algorithm intends to produce high-entropy passwords, which suggests a high level of unpredictability and security. However, the restriction that disallows repeated characters and the requirement for a fixed number of digits and special characters may inadvertently reduce the entropy of the generated passwords.

Entropy, in the context of password security, is a measure of unpredictability or randomness. It is often quantified in bits and calculated based on the logarithm of the number of possible outcomes. For a password with n possible characters and a length of m, the total number of possible passwords without restrictions is n^m.

When we disallow repeated characters, we reduce the number of possible outcomes for each subsequent character. For example, if a password must be 8 characters long and we use a set of 62 possible characters (26 lowercase, 26 uppercase, 10 digits), the number of possible passwords without repetition is 62 * 61 * 61 * ... * 61, which is significantly less than 62^8.

Similarly, by fixing the number of digits and special characters, we further reduce the number of possible combinations. If a password must contain exactly 2 digits and 2 special characters, the positions and choices for these characters are limited, which reduces the overall entropy compared to a scenario where any character could occupy any position independently of their presence in other positions.

Mandating 2 digits in an 8-character alphanumeric password means that out of the 8 characters, exactly 2 must be digits (0-9) and the remaining 6 must be alphabetic characters (A-Z, a-z). This constraint reduces the number of possible combinations compared to a situation where all 8 characters could be freely chosen from the 62 possible alphanumeric characters (26 lowercase + 26 uppercase + 10 digits).

Let's calculate the number of possible passwords for both the constrained and unconstrained cases.

Unconstrained Case:
For each of the 8 characters, you can choose from 62 possibilities. Therefore, the total number of possible passwords is:
62^8

Constrained Case:
First, we need to choose the positions of the 2 digits in the 8-character password. There are C(8,2) ways to do this, where C(n,k) is the binomial coefficient representing the number of combinations of n items taken k at a time.

Once the positions for the digits are chosen, there are 10 possibilities for each digit. For the 6 alphabetic characters, there are 52 possibilities for each (26 lowercase + 26 uppercase). Therefore, the total number of possible passwords under the constraint is:
C(8,2) * 10^2 * 52^6

To calculate C(8,2), you can use the formula for the binomial coefficient:
C(n,k) = n! / (k!(n-k)!)

So, C(8,2) = 8! / (2! * (8-2)!) = 28

Thus, the total number of possible passwords with the constraint is:
28 * 10^2 * 52^6.

Suggestions

While it may seem counterintuitive, allowing characters to repeat increases the number of possible password combinations and thus the entropy. Obviously the user has the ability to specify this, but it is a rather detrimental option. The only justification I can think of is to comply with password requirements meant for human users. However, ignoring or removing the option may not be reasonable at this point.

Concatenation all characters from the character set(s) together and randomly selecting them one-by-one to produce the required password length could be a lot simpler and more secure. This could potentially be accomplished in a backwards-compatible way by interpreting negative numDigits and numSpecial as expecting this behavior.

In most of the case password not accept double-quotes (") and backslash () but Generate password function generate these symbols.
Need to remove these from generate.go.

Hi Seth, from what I can tell, the randomInsert function will never insert a character as the last character of the string.

Here is a quick demo to add to the README:

GO111MODULE=off go get github.com/sethvargo/go-password/password
go run github.com/dolmen-go/goeval@latest -i .=github.com/sethvargo/go-password/password 'fmt.Println(MustGenerate(14,2,2,false,true))'

Lots of things don't allow all symbols (e.g., AWS IAM). It would be nice if the password.Symbols wasn't a constant so I can override it with my own valid symbol set.

In some cases got "wrong" passwords like:

	passwd, err := password.Generate(16, 8, 8, false, false)
	if err != nil {
		log.Fatal(err)
	}
	log.Printf(passwd)

,48_$<723^05*=6%!(NOVERB)

?)~437\9}+%!&(MISSING)0618

239/1~%!,(BADINDEX)7_4{^06

Solved this by removing the % symbol from generate.go

According to the Generate docs:

allowRepeat allows characters to repeat.

People normally think of repeating characters as characters next to each other. For example, aba does not have repeating characters while aab does: a repeats twice.

The go-password use of allowRepeat means the same character cannot appear anywhere in the string a 2nd time. This can be thought of as allowing duplicate characters or only using unique characters.

To demonstrate, this will generate a password using all letters of the alphabet without duplicates.

res, err := password.Generate(26, 0, 0, true, false)

Increasing the length to 27 yields the following error;

2020/06/04 10:30:16 number of letters exceeds available letters and repeats are not allowed

The AgileBits 1Password link from the README states the repeating characters need to be consecutive, not unique to the entire password.

if doing do would lead to consecutive repeating characters. If it does, then we go back and pick a new character all together.

If you want to keep allowRepeats, I suggest renaming it to allowDuplicates or onlyUnique.

Although v0.2.0 appears in tags, and therefore can be downloaded via golang's module system, it is confusing when looking on Github's releases page, which still lists v0.1.2 as the latest.