As a followup to my previous blog post: “Password Requirements Done Better“, I have finalized a package for dictionary password validation for Go.
If you have a site where users have passwords, and you don’t already do dictionary checks, I would strongly recommend you look at this.
The package can be used to protect your bcrypt/scrypt/PBKDF encrypted passwords against dictionary attacks. As discussed in the previous blog this is much more of a threat than brute force attacks, and is of course done by checking them against a dictionary (no magic).
- Package home: https://github.com/klauspost/password
- Godoc: https://godoc.org/github.com/klauspost/password
You are able to use your own database and password dictionary. Currently the package supports importing common dictionary formats, and has built-in “drivers” for MongoDB, BoltDB, MySQL and PostgreSQL. If you decide to write your own database connection, there are functions to help you test that they function correctly.
I have just finished up the documentation and tests, but I am very open to suggestions, and if your favorite database is missing feel free to request it, and I will see if I can help.
I have created a local download mirror for the best dictionary I have found, and I am currently working on a combined dictionary.