passwordcheck: Index | Files

package passwordcheck

import ""

Package passwordcheck is a password and passphrase strength checker based on passwdqc (

Currently implemented via a CGO-binding to a modified passwdqc.


Package Files



var (
    ErrEmpty       = errors.New("empty password")
    ErrFailed      = newError(C.REASON_ERROR)       // check failed
    ErrSame        = newError(C.REASON_SAME)        // same as the old one
    ErrSimilar     = newError(C.REASON_SIMILAR)     // based on the old one
    ErrShort       = newError(C.REASON_SHORT)       // too short
    ErrLong        = newError(C.REASON_LONG)        // too long
    ErrSimpleShort = newError(C.REASON_SIMPLESHORT) // not enough different characters or classes for this length
    ErrSimple      = newError(C.REASON_SIMPLE)      // not enough different characters of classes
    ErrPersonal    = newError(C.REASON_PERSONAL)    // based on user name
    ErrWord        = newError(C.REASON_WORD)        // based on a directionary word and not a passphrase
    ErrSeq         = newError(C.REASON_SEQ)         // based on a common sequence of characters and not a passphrase
var DefaultPolicy = &Policy{
    Min:             [5]int{Disabled, 24, 11, 8, 7},
    Max:             1024,
    PassphraseWords: 3,
    MatchLength:     4,
    DenySimilar:     true,

DefaultPolicy is the default password strength policy.

var Disabled = C.INT_MAX

Disabled provides a value for Policy's Min to disable a password kind.

type Error Uses

type Error struct {
    // contains filtered or unexported fields

func (*Error) Error Uses

func (e *Error) Error() string

type Policy Uses

type Policy struct {
    // Min declares the minimum allowed password lengths for different
    // kinds of passwords and passphrases.
    // Constant Disabled can be used to disallow passwords of a given kind
    // regardless of their length. Each subsequent number is required to be
    // no larger than the preceding one.
    // Min[0] is used for passwords consisting of characters from one
    // character class only. The character classes are: digits, lower-case
    // letters, upper-case letters, and other characters. There is also a
    // special class for non-ASCII characters, which could not be
    // classified, but are assumed to be non-digits.
    // Min[1] is used for passwords consisting of characters from two
    // character classes that do not meet the requirements for a
    // passphrase.
    // Min[2] is used for passphrases. Note that besides meeting this
    // length requirement, a passphrase must also consist of a sufficient
    // number of words (see the PassphraseWords option below).
    // Min[3] and Min[4] are used for passwords consisting of characters
    // from three and four character classes, respectively.
    Min [5]int

    // Max is the maximum allowed password length.
    // This can be used to prevent users from setting passwords that may be
    // too long for some system services.
    Max int

    // PassphraseWords is the number of words required for a passphrase.
    // Set to 0 to disable the support for user-chosen passphrases.
    PassphraseWords int

    // MatchLength is the length of common substring required to conclude
    // that a password is at least partially based on information found in
    // a character string, or 0 to disable the substring search.
    // Note that the password will not be rejected once a weak substring is
    // found; it will instead be subjected to the usual strength
    // requirements with the weak substring partially discounted.
    MatchLength int

    // DenySimilar indicates whether a new password is allowed to be
    // similar to the old one.
    // The passwords are considered to be similar when there is a
    // sufficiently long common substring and the new password with the
    // substring partially discounted would be weak.
    DenySimilar bool

Policy describes a password strength policy.

func ParsePolicy Uses

func ParsePolicy(config string) (p *Policy, err error)

ParsePolicy parses a string describing password policy. The format is similar to passwdqc, but a bit relaxed:

min=N0,N1,N2,N3,N4        default: min=disabled,24,11,8,7
max=N                     default: max=40
passphrase=N              default: passphrase=3
match=N                   default: match=4
similar=permit|deny       default: similar=deny

Configuration items can be separated by a new line or by space, for example:

min=disabled,16,17,18,19 max=20 passphrase=21 match=22 similar=deny

The order of items is not important. There must be no spaces or excess commas between min values. Items not present in the string are filled from DefaultPolicy.

func (*Policy) Check Uses

func (p *Policy) Check(newPassword, oldPassword, username []byte) error

Check checks that the new password complies with the policy and returns nil if it does, and Error if not.

If old password or user name are not nil, the are also used for checking, for example, to make sure that the new password sufficiently differs from the old one.

Package passwordcheck imports 5 packages (graph). Updated 2016-07-21. Refresh now. Tools for package owners.