Add HIBP password check functionality

Implemented HIBP password check feature which will crosscheck generated passwords with the HIBP pwned passwords database. This functionality enhances security by not recommending potentially compromised passwords. A new flag, CheckHIBP has been added to enable or disable this feature.
2024-11-09 15:52:54 +01:00 · 2024-03-12 19:00:21 +01:00 · 2024-03-12 19:00:21 +01:00 · 87f93ddbc6
commit 87f93ddbc6
parent 4b0437d3b1
5 changed files with 36 additions and 1 deletions
--- a/cmd/apg/apg.go
+++ b/cmd/apg/apg.go
@ -43,6 +43,7 @@ func main() {
 	flag.Int64Var(&config.NumberPass, "n", config.NumberPass, "")
 	flag.BoolVar(&config.SpellPassword, "l", false, "")
 	flag.BoolVar(&config.SpellPronounceable, "t", false, "")
+	flag.BoolVar(&config.CheckHIBP, "p", false, "")
 	flag.Usage = usage
 	flag.Parse()

@ -132,6 +133,17 @@ func main() {
 			continue
 		}
 		fmt.Println(password)
+
+		if config.CheckHIBP {
+			pwned, err := apg.HasBeenPwned(password)
+			if err != nil {
+				_, _ = fmt.Fprintf(os.Stderr, "failed to check HIBP database: %s\n", err)
+			}
+			if pwned {
+				fmt.Print("^-- !!WARNING: The previously generated password was found in " +
+					"HIBP database. Do not use it!!\n")
+			}
+		}
 	}
 }

--- a/config.go
+++ b/config.go
@ -15,8 +15,11 @@ const (

 // Config represents the apg.Generator config parameters
 type Config struct {
-	// Algo
+	// Algorithm sets the Algorithm used for the password generation
 	Algorithm Algorithm
+	// CheckHIBP sets a flag if the generated password has to be checked
+	// against the HIBP pwned password database
+	CheckHIBP bool
 	// FixedLength sets a fixed length for generated passwords and ignores
 	// the MinLength and MaxLength values
 	FixedLength int64
--- a/go.mod
+++ b/go.mod
@ -1,3 +1,5 @@
 module src.neessen.cloud/wneessen/apg-go

 go 1.22
+
+require github.com/wneessen/go-hibp v1.0.6
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,2 @@
+github.com/wneessen/go-hibp v1.0.6 h1:RpV540tVJpxefjCCctzq1cQaIFFlkd3nh+HhPVD6Hys=
+github.com/wneessen/go-hibp v1.0.6/go.mod h1:Ldg6DQg4fMCveVKgL+RL9Jy+9TsljjAP704Ix8X3jOw=
--- a/hibp.go
+++ b/hibp.go
@ -0,0 +1,16 @@
+package apg
+
+import (
+	"time"
+
+	"github.com/wneessen/go-hibp"
+)
+
+// HasBeenPwned checks the given password string against the HIBP pwned
+// passwords database and returns true if the password has been leaked
+func HasBeenPwned(password string) (bool, error) {
+	hc := hibp.New(hibp.WithHTTPTimeout(time.Second*2),
+		hibp.WithPwnedPadding())
+	matches, _, err := hc.PwnedPassAPI.CheckPassword(password)
+	return matches != nil && matches.Count != 0, err
+}