feat: check duplicated passwords

Author: camandel

README.md

@@ -18,6 +18,7 @@ The passwords will be checked on:
 - common keyboards sequences
 - l33t substitutions
 - username as part of the password
+- duplicated passwords
 - a custom dictionary can be loaded at runtime
 
 It supports `CSV files` exported from the most popular Password Managers and Browsers:
@@ -36,16 +37,16 @@ To check only one password at a time it can be used in `interactive` mode (passw
 $ check-password-strength -i
 Enter Username: username
 Enter Password: 
-  URL | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK  
-------+----------+----------+------------------+--------------------------
-      | username | p******d |  0 - Really bad  | instant
+  URL | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK | ALREADY USED   
+------+----------+----------+------------------+-------------------------+---------------
+      | username | p******d |  0 - Really bad  | instant                 |
 ```
 or reading from `stdin`:
 ```
 $ echo $PASSWORD | check-password-strength
-  URL | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK  
-------+----------+----------+------------------+--------------------------
-      |          | p******j |  4 - Strong      | centuries  
+  URL | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK | ALREADY USED  
+------+----------+----------+------------------+-------------------------+---------------
+      |          | p******j |  4 - Strong      | centuries               |
 ```
 If you need to use it in a script you can use `-q` flag. It will display nothing on stdout and the `exit code` will contain the password score (it works only with single password):
 ```
@@ -116,7 +117,7 @@ USAGE:
    check-password-strength [options]
 
 VERSION:
-   v0.0.2
+   v0.0.3
 
 COMMANDS:
    help, h  Shows a list of commands or help for one command
@@ -125,6 +126,7 @@ GLOBAL OPTIONS:
    --filename CSVFILE, -f CSVFILE      Check passwords from CSVFILE
    --customdict JSONFILE, -c JSONFILE  Load custom dictionary from JSONFILE
    --interactive, -i                   enable interactive mode asking data from console (default: false)
+   --stats, -s                         display only statistics (default: false)
    --quiet, -q                         return score as exit code (valid only with single password) (default: false)
    --debug, -d                         show debug logs (default: false)
    --help, -h                          show help (default: false)

assets/img/screenshot.jpg

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"crypto/rand"
+	"crypto/sha512"
 	"encoding/csv"
 	"encoding/json"
 	"errors"
@@ -40,6 +42,8 @@ type statistics struct {
 	DuplicateCount int
 }
 
+type duplicates map[string][]int
+
 func loadBundleDict() ([]string, error) {
 
 	var assetDict []string
@@ -145,32 +149,58 @@ func checkMultiplePassword(csvfile, jsonfile string, interactive, stats bool) er
 
 	// initialize statistics
 	stat := initStats(len(allDict))
+	duplicate := duplicates{}
+
+	// generate seed
+	seed, err := generateSeed()
+	if err != nil {
+		return err
+	}
 
 	lines, order, err := readCsv(csvfile)
 	if err != nil {
 		return err
 	}
 	log.Debugf("order: %v\n", order)
 
-	for _, line := range lines {
+	for n, line := range lines {
 		data := csvRow{
 			URL:      line[order["url"]],
 			Username: line[order["username"]],
 			Password: line[order["password"]],
 		}
 
 		passwordStength := zxcvbn.PasswordStrength(data.Password, append(allDict, data.Username))
+
+		hash := generateHash(seed, data.Password)
+
+		// check if password is already used
+		duplicate[hash] = append(duplicate[hash], n)
+
 		data.Password = redactPassword(data.Password)
 		output = append(output, []string{data.URL, data.Username, data.Password,
 			fmt.Sprintf("%d", passwordStength.Score),
 			fmt.Sprintf("%.2f", passwordStength.Entropy),
-			passwordStength.CrackTimeDisplay})
+			passwordStength.CrackTimeDisplay,
+			"",
+		})
 
 		// update statistics
 		stat.ScoreCount[passwordStength.Score] = stat.ScoreCount[passwordStength.Score] + 1
 		stat.TotCount = stat.TotCount + 1
 	}
 
+	// add hash to identify duplicated passwords
+	for h, v := range duplicate {
+		if len(v) > 1 {
+			for _, i := range v {
+				output[i][6] = h
+				stat.DuplicateCount = stat.DuplicateCount + 1
+			}
+		}
+	}
+
+	// show statistics report
 	if stats {
 		showStats(stat, colorable.NewColorableStdout())
 	} else {
@@ -207,7 +237,9 @@ func checkSinglePassword(username, password, jsonfile string, quiet, stats bool)
 	output = append(output, []string{"", username, password,
 		fmt.Sprintf("%d", passwordStength.Score),
 		fmt.Sprintf("%.2f", passwordStength.Entropy),
-		passwordStength.CrackTimeDisplay})
+		passwordStength.CrackTimeDisplay,
+		"",
+	})
 
 	if stats {
 		showStats(stat, colorable.NewColorableStdout())
@@ -288,6 +320,20 @@ func redactPassword(p string) string {
 	return fmt.Sprintf("%s******%s", p[0:1], p[len(p)-1:])
 }
 
+func generateSeed() ([]byte, error) {
+	buf := make([]byte, 16)
+	_, err := rand.Read(buf)
+	if err != nil {
+		return nil, err
+	}
+	return buf, nil
+}
+
+func generateHash(seed []byte, password string) string {
+	sha1 := sha512.Sum512(append(seed, []byte(password)...))
+	return fmt.Sprintf("%x", sha1)[:8]
+}
+
 func initStats(c int) statistics {
 	return statistics{
 		TotCount:       0,
@@ -300,7 +346,7 @@ func initStats(c int) statistics {
 func showTable(data [][]string, w io.Writer) {
 	// writer is a s parameter to pass buffer during tests
 	table := tablewriter.NewWriter(w)
-	table.SetHeader([]string{"URL", "Username", "Password", "Score (0-4)", "Estimated time to crack"})
+	table.SetHeader([]string{"URL", "Username", "Password", "Score (0-4)", "Estimated time to crack", "Already used"})
 	table.SetBorder(false)
 	table.SetAlignment(tablewriter.ALIGN_LEFT)
 
@@ -326,7 +372,7 @@ func showTable(data [][]string, w io.Writer) {
 			scoreColor = tablewriter.BgGreenColor
 		}
 
-		colorRow := []string{row[0], row[1], row[2], score, row[5]}
+		colorRow := []string{row[0], row[1], row[2], score, row[5], row[6]}
 		table.Rich(colorRow, []tablewriter.Colors{nil, nil, nil, {scoreColor}})
 
 	}
@@ -339,13 +385,12 @@ func showStats(stat statistics, w io.Writer) {
 	table := tablewriter.NewWriter(w)
 	table.SetHeader([]string{"Description", "Count"})
 	table.SetBorder(false)
-	//table.SetAlignment(tablewriter.ALIGN_LEFT)
 
 	data := [][]string{
 		{"Password checked", fmt.Sprintf("%d", stat.TotCount)},
 		{"Words in dictionaries", fmt.Sprintf("%d", stat.WordsCount)},
+		{"Duplicated passwords", fmt.Sprintf("%d", stat.DuplicateCount)},
 		{"Really bad passwords", fmt.Sprintf("%d", stat.ScoreCount[0])},
-		//{"Duplicated passwords", fmt.Sprintf("%d", stat.DuplicateCount)},
 		{"Bad passwords", fmt.Sprintf("%d", stat.ScoreCount[1])},
 		{"Weak passwords", fmt.Sprintf("%d", stat.ScoreCount[2])},
 		{"Good passwords", fmt.Sprintf("%d", stat.ScoreCount[3])},

cmd/core.go

@@ -46,6 +46,47 @@ func TestRedactPassword(t *testing.T) {
 		})
 	}
 }
+
+func TestGenerateHash(t *testing.T) {
+
+	tests := []struct {
+		name     string
+		seed     []byte
+		password string
+		out      string
+	}{
+		{
+			name:     "first password",
+			seed:     []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1},
+			password: "password",
+			out:      "c7f42603",
+		},
+		{
+			name:     "same seed and different password",
+			seed:     []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1},
+			password: "otherpassword",
+			out:      "1413a414",
+		},
+		{
+			name:     "same password but different seed",
+			seed:     []byte{0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1},
+			password: "password",
+			out:      "4b124f90",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := generateHash(tt.seed, tt.password)
+
+			if !reflect.DeepEqual(tt.out, h) {
+				t.Fatalf("got %s, expected %s", h, tt.out)
+			}
+
+		})
+	}
+}
+
 func TestReadCsv(t *testing.T) {
 
 	tests := []struct {
@@ -149,29 +190,47 @@ func TestShowTable(t *testing.T) {
 		out  string
 	}{
 		{
-			name: "One row",
-			in:   [][]string{{"url1", "user1", "p******1", "1", "5.00", "instant"}},
-			out: `  URL  | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK  
--------+----------+----------+------------------+--------------------------
-  url1 | user1    | p******1 | [101m 1 - Bad        [0m | instant                  
+			name: "Single row",
+			in:   [][]string{{"url1", "user1", "p******1", "1", "5.00", "instant", ""}},
+			out: `  URL  | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK | ALREADY USED  
+-------+----------+----------+------------------+-------------------------+---------------
+  url1 | user1    | p******1 | [101m 1 - Bad        [0m | instant                 |               
 `,
 		},
 		{
-			name: "Five rows with different colors",
+			name: "Multiple rows no duplicates",
 			in: [][]string{
-				{"url0", "user0", "p******0", "0", "5.00", "instant"},
-				{"url1", "user1", "p******1", "1", "5.00", "instant"},
-				{"url2", "user2", "p******2", "2", "5.00", "instant"},
-				{"url3", "user3", "p******3", "3", "5.00", "instant"},
-				{"url4", "user4", "p******4", "4", "5.00", "instant"},
+				{"url0", "user0", "p******0", "0", "5.00", "instant", ""},
+				{"url1", "user1", "p******1", "1", "5.00", "instant", ""},
+				{"url2", "user2", "p******2", "2", "5.00", "instant", ""},
+				{"url3", "user3", "p******3", "3", "5.00", "instant", ""},
+				{"url4", "user4", "p******4", "4", "5.00", "instant", ""},
 			},
-			out: `  URL  | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK  
--------+----------+----------+------------------+--------------------------
-  url0 | user0    | p******0 |  0 - Really bad  | instant                  
-  url1 | user1    | p******1 |  1 - Bad         | instant                  
-  url2 | user2    | p******2 |  2 - Weak        | instant                  
-  url3 | user3    | p******3 |  3 - Good        | instant                  
-  url4 | user4    | p******4 |  4 - Strong      | instant                  
+			out: `  URL  | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK | ALREADY USED  
+-------+----------+----------+------------------+-------------------------+---------------
+  url0 | user0    | p******0 |  0 - Really bad  | instant                 |               
+  url1 | user1    | p******1 |  1 - Bad         | instant                 |               
+  url2 | user2    | p******2 |  2 - Weak        | instant                 |               
+  url3 | user3    | p******3 |  3 - Good        | instant                 |               
+  url4 | user4    | p******4 |  4 - Strong      | instant                 |               
+`,
+		},
+		{
+			name: "Multiple rows with duplicates",
+			in: [][]string{
+				{"url0", "user0", "p******0", "0", "5.00", "instant", "aaaaaaaa"},
+				{"url1", "user1", "p******1", "1", "5.00", "instant", "bbbbbbbb"},
+				{"url2", "user2", "p******0", "0", "5.00", "instant", "aaaaaaaa"},
+				{"url3", "user3", "p******3", "3", "5.00", "instant", ""},
+				{"url4", "user4", "p******1", "1", "5.00", "instant", "bbbbbbbb"},
+			},
+			out: `  URL  | USERNAME | PASSWORD |   SCORE (0-4)    | ESTIMATED TIME TO CRACK | ALREADY USED  
+-------+----------+----------+------------------+-------------------------+---------------
+  url0 | user0    | p******0 |  0 - Really bad  | instant                 | aaaaaaaa      
+  url1 | user1    | p******1 |  1 - Bad         | instant                 | bbbbbbbb      
+  url2 | user2    | p******0 |  0 - Really bad  | instant                 | aaaaaaaa      
+  url3 | user3    | p******3 |  3 - Good        | instant                 |               
+  url4 | user4    | p******1 |  1 - Bad         | instant                 | bbbbbbbb      
 `,
 		},
 	}
@@ -209,6 +268,7 @@ func TestShowStats(t *testing.T) {
 ------------------------+--------
   Password checked      |     1  
   Words in dictionaries | 59824  
+  Duplicated passwords  |     0  
   Really bad passwords  |     0  
   Bad passwords         |     0  
   Weak passwords        |     0  
@@ -222,12 +282,13 @@ func TestShowStats(t *testing.T) {
 				TotCount:       9,
 				WordsCount:     59824,
 				ScoreCount:     []int{3, 1, 2, 1, 2},
-				DuplicateCount: 0,
+				DuplicateCount: 2,
 			},
 			out: `       DESCRIPTION      | COUNT  
 ------------------------+--------
   Password checked      |     9  
   Words in dictionaries | 59824  
+  Duplicated passwords  |     2  
   Really bad passwords  |     3  
   Bad passwords         |     1  
   Weak passwords        |     2  

cmd/core_test.go

@@ -1,4 +1,4 @@
 package cmd
 
 // Version to display
-var Version = "v0.0.2"
+var Version = "v0.0.3"

cmd/version.go

@@ -8,3 +8,4 @@
 "www.example.com","user3","house-new-cow"
 "www.example.com","user3","polygon-approve-entire-coexist"
 "www.example.com","user2","Gsg#H4k#*966Dx"
+"www.example.com","user2","polygon-approve-entire-coexist"