/passit

A password generation toolkit for Go.

Primary LanguageGoBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

passit

passit is a password generation toolkit for Go. It features a variety of different password generators from charsets to regular expressions, wordlists and emoji.

All generators implement the following interface:

// Generator is an interface for generating passwords.
type Generator interface {
	// Password returns a randomly generated password using r as the source of
	// randomness.
	//
	// The returned password may or may not be deterministic with respect to r.
	// All generators in this package are deterministic unless otherwise noted.
	//
	// The output of r should be indistinguishable from a random string of the
	// same length. This is a property of a good CSPRNG. Fundamentally the
	// strength of the generated password is only as good as the provided source
	// of randomness.
	//
	// r should implement the io.ByteReader interface for improved performance.
	Password(r io.Reader) (string, error)
}

Generators

The package provides a number of generators that produce output from a fixed set:

Generator Description Examples
Digit [0-9] "0" "7"
LatinLower [a-z] "a" "j"
LatinLowerDigit [a-z0-9] "a" "j" "0" "7"
LatinUpper [A-Z] "A" "J"
LatinUpperDigit [A-Z0-9] "A" "J" "0" "7"
LatinMixed [a-zA-Z] "a" "j" "A" "J"
LatinMixedDigit [a-zA-Z0-9] "a" "j" "A" "J" "0" "7"
OrchardStreetMedium A word from Sam Schlinkert's Orchard Street Medium List "abandon" "forest"
OrchardStreetLong A word from Sam Schlinkert's Orchard Street Long List "abandon" "mobility"
OrchardStreetAlpha A word from Sam Schlinkert's Orchard Street Alpha List "abbot" "points"
OrchardStreetQWERTY A word from Sam Schlinkert's Orchard Street QWERTY List "access" "peg"
STS10Wordlist A word from Sam Schlinkert's '1Password Replacement List' "aback" "loophole"
EFFLargeWordlist A word from the EFF Large Wordlist for Passphrases "abacus" "partition"
EFFShortWordlist1 A word from the EFF Short Wordlist for Passphrases #1 "acid" "match"
EFFShortWordlist2 A word from the EFF Short Wordlist for Passphrases #2 "aardvark" "jaywalker"
Emoji13 A Unicode 13.0 fully-qualified emoji "⌚" "πŸ•ΈοΈ" "πŸ§ŽπŸΎβ€β™€οΈ"
Emoji15 A Unicode 15.0 fully-qualified emoji "⌚" "🏎️" "πŸ§πŸΏβ€β™‚οΈ"
HexLower Lowercase hexadecimal encoding "66e94bd4ef8a2c3b"
HexUpper Uppercase hexadecimal encoding "66E94BD4EF8A2C3B"
Base32 Base32 standard encoding "M3UUXVHPRIWDW"
Base32Hex Base32 hexadecimal encoding "CRKKNL7FH8M3M"
Base64 Base64 standard encoding "ZulL1O+KLDs"
Base64URL Base64 URL encoding "ZulL1O-KLDs"
Ascii85 Ascii85 encoding "B'Dt<mtrYX"
SpectreMaximum The Spectre maximum template "i7,o%yC4&fmQ1r*qfcWq"
SpectreLong The Spectre long template "ZikzXuwuHeve1("
SpectreMedium The Spectre medium template "Zik2~Puh"
SpectreBasic The Spectre basic template "izJ24tHJ"
SpectreShort The Spectre short template "His8"
SpectrePIN The Spectre PIN template "0778"
SpectreName The Spectre name template "hiskixuwu"
SpectrePhrase The Spectre phrase template "zi kixpu hoy vezamcu"
Empty Empty string ""
Hyphen ASCII hyphen-minus "-"
Space ASCII space " "

The package also provides a number of generators that produce output based on user input:

Generator Description
String A fixed string
RegexpParser Password that matches a regular expression pattern
FromCharset A rune from a charset string
FromRangeTable A rune from a unicode.RangeTable
FromSlice A string from a slice of strings

There are also a number of 'helper' generators that interact with the output of other generators:

Generator Description
Alternate Select a generator at random
Join Concatenate the output of multiple generators
Repeat Invoke a generator multiple times and concatenate the output
RandomRepeat Invoke a generator a random number of times and concatenate the output
RejectionSample Continually invoke a generator until the output passes a test
Transform Invoke a generator and convert the output according to a user supplied function
LowerCase Invoke a generator and convert the output to lower case
UpperCase Invoke a generator and convert the output to upper case
TitleCase Invoke a generator and convert the output to language-specific title case

Most generators only generate a single of something, be it a rune, ASCII character or word. For generating longer passwords use Repeat or RandomRepeat, possibly with Join or Alternate. In this way the various generators can be composed to generator arbitrarily long and complex passwords, or short and simple passwords as is needed.

The generators are designed to map from a random string / stream to a text password. This is not designed to be a reversible process and decoding the password to the original random string is not possible.

Commands

Two commands for easy CLI password generation are provided.

passphrase

passphrase is a tool that generates random passphrases using one of the embedded wordlists supported by passit.

$ go install go.tmthrgd.dev/passit/cmd/passphrase@latest
$ passphrase -n 5 -s -
assumes-forth-humanities-exemption-paid

twoproblems

twoproblems is a tool that generates random passwords based on a regular expression template.

$ go install go.tmthrgd.dev/passit/cmd/twoproblems@latest
$ twoproblems '[[:alpha:]]{15}-[[:digit:]]{3}[[:punct:]]{2}'
KsMtvHnSOmqjIll-277&$
$ twoproblems '[[:alnum:]]{5}-(?P<word>count=5&sep=-)-[[:punct:]]{5}'
7Gfyv-degree-currency-revolt-coined-requested-*@`}[

Two special captures ((?P<name>)) are supported:

  1. (?P<word>): A word from any of the supported wordlists. This takes parameters similar to a URL query string (e.g. x=1&y=2&y=3), including supporting percent escaping. The supported parameters are:
    • case transform the word to a given case ('lower' - default, 'upper' or 'title');
    • count generate N multiple words instead of just one;
    • list the name of a supported wordlist to use ('orchard:medium', 'orchard:long' - default, 'orchard:alpha, 'orchard:qwerty, 'eff:large' / 'eff', 'eff:short1' or 'eff:short2');
    • sep a separator to insert between words (defaults to a space).
  2. (?P<emoji>): A Unicode 15.0 emoji returned from Emoji15. This can take a number to generate multiple emoji.

Sources of randomness

Note: Remember that wrapping the io.Reader with bufio.NewReader (if it doesn't already implement io.ByteReader) will greatly improve the performance of the generators.

For generating random passwords, Password should be called with crypto/rand.Reader. Avoid using poor quality sources of randomness like math/rand.

import "crypto/rand"

func ExampleEFFLargeWordlist_WithCryptoRand() {
	pass, _ := passit.Repeat(passit.EFFLargeWordlist, "-", 4).Password(rand.Reader)
	fmt.Println(pass)
}

For generating deterministic passwords, Password should be called with a deterministic stream that should be indistinguishable from a random string of the same length. Good examples of sources for this would be HKDF, ChaCha20 or AES-CTR with proper key generation. Care must be taken when using deterministic password generation as the generated password is only ever as good as the provided source of randomness.

func ExampleEFFLargeWordlist_WithHKDF() {
	secret, salt, info := []byte("secret"), []byte("salt"), []byte("info")

	r := hkdf.New(sha512.New, secret, salt, info)

	pass, _ := passit.Repeat(passit.EFFLargeWordlist, "-", 4).Password(r)
	fmt.Println(pass) // Output: king-unflawed-vagrancy-laxative
}

func ExampleEFFLargeWordlist_WithChaCha20() {
	key := []byte("secret key for password generate")

	c, _ := chacha20.NewUnauthenticatedCipher(key, []byte("IV for PWDGN"))
	r := cipher.StreamReader{S: c, R: zeroReader{}}

	pass, _ := passit.Repeat(passit.EFFLargeWordlist, "-", 4).Password(r)
	fmt.Println(pass) // Output: penny-enclose-preoccupy-sappy
}

func ExampleEFFLargeWordlist_WithAESCTR() {
	key := []byte("secret key for password generate")

	block, _ := aes.NewCipher(key)
	ctr := cipher.NewCTR(block, []byte("IV for PWDGN CTR"))
	r := cipher.StreamReader{S: ctr, R: zeroReader{}}

	pass, _ := passit.Repeat(passit.EFFLargeWordlist, "-", 4).Password(r)
	fmt.Println(pass) // Output: juncture-net-unseen-pegboard
}

type zeroReader struct{}

func (zeroReader) Read(p []byte) (int, error) {
	clear(p)
	return len(p), nil
}

License

This library is Copyright (c) 2022, Tom Thorogood and is licensed under a BSD 3-Clause License.

Embedded wordlists are subject to their own copyright license referenced in the documentation.