Inspired by how bad pattern locks are on phones, I added some code to count continuous (or maybe contiguous) pattern lengths as 0.

If you swipe your finger across your keyboard, in any direction, along the red lines in this image, it will be length 0.

Please let me know which changes you'd like to see and if these additions are appropriate. Disallowing patterns may count as one of those stupid rules. :smiley:

Staticcheck is a wonderful tool for performing static analysis of Go programs. This PR addresses all the issues (3 to be exact) that it mentioned and also adds it to the workflow for further checks in the future. I also updated the checkout action to v2 which most importantly has some performance work :)

Describe the bug Validate method always returns nil error, even when password entropy is less than minimum entropy

To Reproduce No additional steps required, it is a main line usecase. try with password as "123" with minimum entropy as 60 func strongPass(password string) error { const minEntropyBits = 60 err := passwordvalidator.Validate(password, minEntropyBits) return err }

The problem is the following code, when you return error object it is nil to calling function, as the call fmt.Errorf it is by value and is lost on return.

if len(allMessages) > 0 {
	return fmt.Errorf(
		"insecure password, try %v or using a longer password",
		strings.Join(allMessages, ", "),
	)
}

Expected behavior Should return an error.

Screenshots None

Environment (please complete the following information):

• OS: Mac OSX

Additional context None

So the password 1010101010101011101101000000010111011011101001010001001101011011 is calculated as only having a length of "2" and a base of 10. So it would be about 6 bits according to this. But the generation method clearly is generating a binary string with length 64, for a total of 64 bits of entropy.

Describe the bug The getLength function is supposed to strip sequential characters after a run length of 2. e.g. fghijkl should become fg.

However, because it first replaces the sequence asdfghjkl, it changes fghijkl to fgijk, which then becomes 'fgij, a length of 4.

To Reproduce

https://github.com/wagslane/go-password-validator/pull/14

Expected behavior It should change fghijkl to fg

Screenshots If applicable, add screenshots or console output that helps explain the situation

Environment (please complete the following information):

• OS: [e.g. Linux Ubuntu]

Additional context Add any other context about the problem here.

The asdfghjkl sequence was running first, resulting in a sequence like fgijk, which then would turn into fgij, when it should have turned into fg. Running seqAlphabet first avoids this issue, but then asdfghjkl gets the same issue. To remedy, we can run both and then see which one removed more characters.

Is your feature request related to a problem? Please describe.

I was looking around if we have any go packages to handle password strength validation and I stumbled upon this. I do like the idea behind this and I have a few suggestions that may come in handy:

• Allow custom error messages or expand the validate function to provide analytical data which can be used to determine error messages outside of the package (the primary idea of this is to allow i18n).
• Allow the validator to be configured with custom character sets or programmatically determine used character sets to support use cases that would require characters outside of the baked-in character sets.

Describe the solution you'd like

My first point should be straightforward on how it could be implemented; something in the lines of returning a struct which outlines the boolean flags used internally (hasReplace, hasLower, ...).

For the second one, I am quite unsure on how (if even possible) to implement as changes to the character sets would affect the entropy and what level would be considered secure (the table in your README).

Is this something you would consider your package to support? With your insight and if we decide to use this approach for Corteza, I can assist with the implementation.