Currently possible to generate a password without either uppercase or lowercase characters

Question

Currently possible to generate a password without either uppercase or lowercase characters

lpmi-13 opened this issue 3 years ago · comments

While generating passwords, some password policies require both uppercase and lowercase letters. If the number of characters specified is low enough, there's a higher likelihood that a password with either no uppercase or no lowercase might be generated.

for example:

found one without uppers: lj<htui904&wgnobm2
found one without lowers: XS4M-VKG3BCQY+ET09
found one without lowers: P<QS8KTN53#BV1CDWY
found one without uppers: eab9ko!i45qc8tmny-
found one without lowers: SH-YC6Q*LBRM4FPD30

If it seems feasible, I'd love to submit a PR to update the behavior to avoid having either no uppercase or no lowercase in the generated strings, but not really sure where to begin. Any pointers much appreciated.

Seth Vargo · Answer 1 · Thu Sep 09 2021 07:09:02 GMT+0800 (China Standard Time)

Hi @lpmi-13

I think this is working intended, since the API is to allow uppercase/lowercase, not require. In general, it will be infeasible for this tool to appease every password policy. I think we could come up with an API that specifies a collection of character sets and the minimum number of characters from that set, e.g.

password.Generate(&password.GenerateInput{
  Length: 32,
  CharacterSets: []*password.CharacterSet{
    {
      Allowed: password.Uppers,
      Min: 5,
      Max: 10,
    },
    {
      Allowed: password.Lowers,
      Min: 10,
    },
    {
      Allowed: "АБВГДЕЁЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯ",
      Max: 10,
    },
  },
})

But this feels incredibly verbose and error-prone.

Adam Leskis · Answer 2 · Thu Sep 09 2021 19:39:43 GMT+0800 (China Standard Time)

yeah, I think that's about where I got to as well...and actually, I couldn't think of a password policy that would require only uppercase or lowercase (as in, you would basically always want a mix of lowercase/uppercase). The current implementation basically guarantees that if your character length is longer than 22, which is what we ended up setting ours to to get around the issue, and we should probably have longer passwords anyway. haha.

Would you be interested in a PR to update the README just to make a note that if you, for some reason, need to use a shorter character password, be aware that it might not conform to certain password policies (eg, AWS)?

Seth Vargo · Answer 3 · Thu Sep 09 2021 20:44:21 GMT+0800 (China Standard Time)

Yea of course!

Adam Leskis · Answer 4 · Fri Sep 10 2021 06:35:03 GMT+0800 (China Standard Time)

addressed by #19

github-actions · Answer 5 · Fri Sep 24 2021 08:06:27 GMT+0800 (China Standard Time)

This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.