Add HIBP password check functionality

Implemented HIBP password check feature which will crosscheck generated passwords with the HIBP pwned passwords database. This functionality enhances security by not recommending potentially compromised passwords. A new flag, CheckHIBP has been added to enable or disable this feature.
This commit is contained in:
Winni Neessen 2024-03-12 19:00:21 +01:00
parent 4b0437d3b1
commit 87f93ddbc6
Signed by: wneessen
GPG key ID: 5F3AF39B820C119D
5 changed files with 36 additions and 1 deletions

View file

@ -43,6 +43,7 @@ func main() {
flag.Int64Var(&config.NumberPass, "n", config.NumberPass, "")
flag.BoolVar(&config.SpellPassword, "l", false, "")
flag.BoolVar(&config.SpellPronounceable, "t", false, "")
flag.BoolVar(&config.CheckHIBP, "p", false, "")
flag.Usage = usage
flag.Parse()
@ -132,6 +133,17 @@ func main() {
continue
}
fmt.Println(password)
if config.CheckHIBP {
pwned, err := apg.HasBeenPwned(password)
if err != nil {
_, _ = fmt.Fprintf(os.Stderr, "failed to check HIBP database: %s\n", err)
}
if pwned {
fmt.Print("^-- !!WARNING: The previously generated password was found in " +
"HIBP database. Do not use it!!\n")
}
}
}
}

View file

@ -15,8 +15,11 @@ const (
// Config represents the apg.Generator config parameters
type Config struct {
// Algo
// Algorithm sets the Algorithm used for the password generation
Algorithm Algorithm
// CheckHIBP sets a flag if the generated password has to be checked
// against the HIBP pwned password database
CheckHIBP bool
// FixedLength sets a fixed length for generated passwords and ignores
// the MinLength and MaxLength values
FixedLength int64

2
go.mod
View file

@ -1,3 +1,5 @@
module src.neessen.cloud/wneessen/apg-go
go 1.22
require github.com/wneessen/go-hibp v1.0.6

2
go.sum Normal file
View file

@ -0,0 +1,2 @@
github.com/wneessen/go-hibp v1.0.6 h1:RpV540tVJpxefjCCctzq1cQaIFFlkd3nh+HhPVD6Hys=
github.com/wneessen/go-hibp v1.0.6/go.mod h1:Ldg6DQg4fMCveVKgL+RL9Jy+9TsljjAP704Ix8X3jOw=

16
hibp.go Normal file
View file

@ -0,0 +1,16 @@
package apg
import (
"time"
"github.com/wneessen/go-hibp"
)
// HasBeenPwned checks the given password string against the HIBP pwned
// passwords database and returns true if the password has been leaked
func HasBeenPwned(password string) (bool, error) {
hc := hibp.New(hibp.WithHTTPTimeout(time.Second*2),
hibp.WithPwnedPadding())
matches, _, err := hc.PwnedPassAPI.CheckPassword(password)
return matches != nil && matches.Count != 0, err
}