Documentation ¶
Overview ¶
Package password : The password package provides implementation of Password services: Encryption, salting, reset, time expiration and throttling.
The password package handles the following:
- Generating a new (salted) password,
- Checking if a given password matches a given user's password
- Updating a user's password
- Resetting a password to a password that can only be used once within a predifined window of time
Passwords have the following properties:
- The current password
- The password's expiration time
- Old passwords that should be avoided. If there is an attempt to reused an old the user is flagged.
- Error counter: counts the number of consecutive unsuccessful authentication attempts
- Is it a 'temporary password' (after password reset)
Note that users are also flagged if they attempt to use a one-time-passwords more than once
Index ¶
- Constants
- func CheckPasswordStrength(pass string) error
- func GenerateNewValidPassword() []byte
- func GetHashedPwd(pwd []byte) []byte
- type Serializer
- func (s Serializer) AddToStorage(prefix string, data interface{}, storage *ss.SecureStorage) error
- func (s Serializer) IsEqualProperties(da1 interface{}, da2 interface{}) bool
- func (s Serializer) PrintProperties(data interface{}) string
- func (s Serializer) ReadFromStorage(key string, storage *ss.SecureStorage) (interface{}, error)
- type UserPwd
- func (u UserPwd) IsNewPwdValid(pwd []byte, checkPwdStrength bool) error
- func (u *UserPwd) IsPasswordMatch(pwd []byte) error
- func (u *UserPwd) ResetPassword() ([]byte, error)
- func (u *UserPwd) SetTemporaryPwd(flag bool)
- func (u UserPwd) String() string
- func (u *UserPwd) UpdatePassword(currentPwd []byte, pwd []byte, checkPwdStrength bool) ([]byte, error)
- func (u *UserPwd) UpdatePasswordAfterReset(currentPwd []byte, pwd []byte, expiration time.Time) ([]byte, error)
Examples ¶
Constants ¶
const ( MinPasswordLength = 8 MaxPasswordLength = 256 )
Note: Secure storage and the strength of the password are not handled by this package
Variables ¶
This section is empty.
Functions ¶
func CheckPasswordStrength ¶
CheckPasswordStrength : VErify that the given password strength is good enougth
func GenerateNewValidPassword ¶
func GenerateNewValidPassword() []byte
GenerateNewValidPassword : Generate a valid password that includes defaultPasswordLen characters with 2 Upper case characters, 2 numbers and 2 characters from "!@#$&-+;" The other method of select random byte array and verify if it fits the rules may take a lot of iterations to fit the rules The entropy is not perfect but its good enougth for temporary reset password
func GetHashedPwd ¶
GetHashedPwd : The password should be handled and stored as hashed and not in clear text This function implementation may later be updated to crypto.cbytes
Types ¶
type Serializer ¶
type Serializer struct{}
Serializer : virtual set of functions that must be implemented by each module
func (Serializer) AddToStorage ¶
func (s Serializer) AddToStorage(prefix string, data interface{}, storage *ss.SecureStorage) error
AddToStorage : Add the Password property information to the secure_storage
func (Serializer) IsEqualProperties ¶
func (s Serializer) IsEqualProperties(da1 interface{}, da2 interface{}) bool
IsEqualProperties : Compare 2 Password properties
func (Serializer) PrintProperties ¶
func (s Serializer) PrintProperties(data interface{}) string
PrintProperties : Print the Password property data
func (Serializer) ReadFromStorage ¶
func (s Serializer) ReadFromStorage(key string, storage *ss.SecureStorage) (interface{}, error)
ReadFromStorage : Return the entity Password data read from the secure storage (in JSON format)
type UserPwd ¶
type UserPwd struct { Password []byte Salt []byte Expiration time.Time ErrorsCounter int TemporaryPwd bool // must be replaced after the first use OldPasswords [defaultNumberOfOldPasswords][]byte }
UserPwd : structure that holds all the parameters relevant to handle password such as the passward, salt, expiration time, counters etc.
Example ¶
Example of how to use the password.
- Create a new password.
- Verify that the initial password is set correctly
- Change the user's password
- Verify that the old password is not valid anymore
- Verify that the new password is valid
- Verify that the old password can't be used any more (at least not as long as it remains in the old passwords list)
package main import ( "fmt" "github.com/ibm-security-innovation/libsecurity-go/password" "github.com/ibm-security-innovation/libsecurity-go/salt" ) var ( minPasswordLength = 1 maxPasswordLength = 255 ) func main() { id := "User-1" pwd := []byte("a1B2c3d^@") saltStr, _ := salt.GetRandomSalt(8) userPwd, _ := password.NewUserPwd(pwd, saltStr, true) tPwd, _ := salt.GenerateSaltedPassword(pwd, minPasswordLength, maxPasswordLength, saltStr, -1) newPwd := password.GetHashedPwd(tPwd) err := userPwd.IsPasswordMatch(newPwd) if err != nil { fmt.Println("Error", err) } userNewPwd := []byte(string(pwd) + "a") newPwd, err = userPwd.UpdatePassword(userPwd.Password, userNewPwd, true) if err != nil { fmt.Printf("Password update for user %v to new password '%v' (%v) failed, error %v\n", id, newPwd, string(userNewPwd), err) } else { fmt.Printf("User '%v', updated password to '%v' (%v)\n", id, newPwd, string(userNewPwd)) } err = userPwd.IsPasswordMatch(newPwd) if err != nil { fmt.Printf("Check of the new password, '%v' (%v), for user %v failed, error %v\n", newPwd, string(userNewPwd), id, err) } else { fmt.Printf("User '%v', new password '%v' (%v) verified successfully\n", id, newPwd, string(userNewPwd)) } err = userPwd.IsPasswordMatch(pwd) if err == nil { fmt.Printf("Error: Old password '%v' (%v) for user %v accepted\n", pwd, string(pwd), id) } else { fmt.Printf("User '%v', Note that the old password '%v' (%v) cannot be used anymore\n", id, pwd, string(pwd)) } newPwd, err = userPwd.UpdatePassword(userPwd.Password, pwd, true) if err == nil { fmt.Printf("Error: Password '%v' (typed password %v) for user %v was already used\n", newPwd, string(pwd), id) } else { fmt.Printf("Entity '%v'. Note that the old password (entered password) %v was already used\n", id, string(pwd)) } }
Output:
func NewUserPwd ¶
NewUserPwd : Generate a new UserPwd for a given password The generated password is with a default expiration time
func (UserPwd) IsNewPwdValid ¶
IsNewPwdValid : Verify that the password is legal: its length is OK and it wasn't recently used
func (*UserPwd) IsPasswordMatch ¶
IsPasswordMatch : Verify that the given password is the expected one and that it is not expired
func (*UserPwd) ResetPassword ¶
ResetPassword : Reset the password of a given user to a random password and make it a One-time-password with a short window time in which it should be used and replaced by the user
Example ¶
Example of how to use the reset password function: This function resets the current password, selects a new password with short expiration time and lets the user use it exactly once
package main import ( "fmt" "github.com/ibm-security-innovation/libsecurity-go/password" "github.com/ibm-security-innovation/libsecurity-go/salt" ) func main() { id := "User1" pwd := []byte("a1b2C@3d4") saltStr, _ := salt.GetRandomSalt(10) userPwd, _ := password.NewUserPwd(pwd, saltStr, false) tmpPwd, _ := userPwd.ResetPassword() tPwd, _ := salt.GenerateSaltedPassword(tmpPwd, 1, 100, saltStr, -1) newPwd := password.GetHashedPwd(tPwd) err := userPwd.IsPasswordMatch(newPwd) if err != nil { fmt.Printf("Check of newly generated password '%v' for user %v failed, error %v\n", newPwd, id, err) } else { fmt.Printf("Entity %v, after resetting password '%v' verified successfully\n", id, newPwd) } err = userPwd.IsPasswordMatch(newPwd) if err == nil { fmt.Printf("Error: Newly generated password '%v' could be used only once\n", newPwd) } else { fmt.Printf("Newly generated password '%v', for entity %v, can only be used once\n", newPwd, id) } }
Output:
func (*UserPwd) SetTemporaryPwd ¶
SetTemporaryPwd : sets the temporary password status to the given value