go-password-validator alternatives and similar packages
Based on the "Security" category.
Alternatively, view go-password-validator alternatives based on common mentions on social networks and blogs.
-
Lean and Mean Docker containers
Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source) -
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability. -
Themis by Cossack Labs
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms. -
acra
Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL. -
ToRat
DISCONTINUED. ToRat is a Remote Administation tool written in Go using Tor as a transport mechanism and RPC for communication -
teler-waf
teler-waf is a Go HTTP middleware that protects local web services from OWASP Top 10 threats, known vulnerabilities, malicious actors, botnets, unwanted crawlers, and brute force attacks. -
go-peer
🔐 Library for developing secure, decentralized, anonymous and quantum-resistant networks in Go language -
simple-scrypt
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑 -
passwap
Package passwap provides a unified implementation between different password hashing algorithms. It allows for easy swapping between algorithms, using the same API for all of them. -
goSecretBoxPassword
A probably paranoid Golang utility library for securely hashing and encrypting passwords based on the Dropbox method. This implementation uses Blake2b, Scrypt and XSalsa20-Poly1305 (via NaCl SecretBox) to create secure password hashes that are also encrypted using a master passphrase. -
go-generate-password
Password generator written in Golang, usable as a CLI or Go library. Provides options for human readable and accessibility friendly passwords. -
secureio
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer. -
goArgonPass
goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2 designed to be compatible with Passlib for Python and Argon2 PHP. Argon2 was the winner of the most recent Password Hashing Competition. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt.
CodeRabbit: AI Code Reviews for Developers
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of go-password-validator or a related project?
README
go-password-validator
Simple password validator using raw entropy values. Hit the project with a star if you find it useful ⭐
Supported by Qvault
This project can be used to front a password strength meter, or simply validate password strength on the server. Benefits:
- No stupid rules (doesn't require uppercase, numbers, special characters, etc)
- Everything is based on entropy (raw cryptographic strength of the password)
- Doesn't load large sets of data into memory - very fast and lightweight
- Doesn't contact any API's or external systems
- Inspired by this XKCD
⚙️ Installation
Outside of a Go module:
go get github.com/wagslane/go-password-validator
🚀 Quick Start
package main
import (
passwordvalidator "github.com/wagslane/go-password-validator"
)
func main(){
entropy := passwordvalidator.GetEntropy("a longer password")
// entropy is a float64, representing the strength in base 2 (bits)
const minEntropyBits = 60
err := passwordvalidator.Validate("some password", minEntropyBits)
// if the password has enough entropy, err is nil
// otherwise, a formatted error message is provided explaining
// how to increase the strength of the password
// (safe to show to the client)
}
What Entropy Value Should I Use?
It's up to you. That said, here is a graph that shows some common timings for different values, somewhere in the 50-70 range seems "reasonable".
Keep in mind that attackers likely aren't just brute-forcing passwords, if you want protection against common passwords or PWNed passwords you'll need to do additional work. This library is lightweight, doesn't load large datasets, and doesn't contact external services.
How It Works
First, we determine the "base" number. The base is a sum of the different "character sets" found in the password.
We've arbitrarily chosen the following character sets:
- 26 lowercase letters
- 26 uppercase letters
- 10 digits
- 5 replacement characters -
!@$&*
- 5 seperator characters -
_-.,
- 22 less common special characters -
"#%'()+/:;<=>?[\]^{|}~
Using at least one character from each set your base number will be 94: 26+26+10+5+5+22 = 94
Every unique character that doesn't match one of those sets will add 1
to the base.
If you only use, for example, lowercase letters and numbers, your base will be 36: 26+10 = 36
.
After we have calculated a base, the total number of brute-force-guesses is found using the following formulae: base^length
A password using base 26 with 7 characters would require 26^7
, or 8031810176
guesses.
Once we know the number of guesses it would take, we can calculate the actual entropy in bits using log2(guesses)
. That calculation is done in log space in practice to avoid numeric overflow.
Additional Safety
We try to err on the side of reporting less entropy rather than more.
Same Character
With repeated characters like aaaaaaaaaaaaa
, or 111222
, we modify the length of the sequence to count as no more than 2
.
aaaa
has length 2111222
has length 4
Common Sequences
Common sequences of length three or greater count as length 2
.
12345
has length 2765432
has length 2abc
has length 2qwerty
has length 2
The sequences are checked from back->front and front->back. Here are the sequences we've implemented so far, and they're case-insensitive:
0123456789
qwertyuiop
asdfghjkl
zxcvbnm
abcdefghijklmnopqrstuvwxyz
Not ZXCVBN
There's another project that has a similar purpose, zxcvbn, and you may want to check it out as well. Our goal is not to be zxcvbn, because it's already good at what it does. go-password-validator
doesn't load any large datasets of real-world passwords, we write simple rules to calculate an entropy score. It's up to the user of this library to decide how to use that entropy score, and what scores constitute "secure enough" for their application.
💬 Contact
Submit an issue (above in the issues tab)
Transient Dependencies
None! And it will stay that way, except of course for the standard library.
👏 Contributing
I love help! Contribute by forking the repo and opening pull requests. Please ensure that your code passes the existing tests and linting, and write tests to test your changes if applicable.
All pull requests should be submitted to the main
branch.
make test
make fmt
make vet
make lint