New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit freshly generated passwords #761
Conversation
pkg/pwgen/pwgen.go
Outdated
var password string | ||
|
||
validator := crunchy.NewValidator() | ||
for i := 0; i < 3 && validator.Check(password) != nil; i++ { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You rely on the fact that the validator complains if the inital password is empty?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. Could be done "cleaner" with a couple more lines of code, but then I'm not sure it's actually more readable. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's fine. Just wanted to understand your reasoning.
Codecov Report
@@ Coverage Diff @@
## master #761 +/- ##
==========================================
+ Coverage 64.03% 64.05% +0.02%
==========================================
Files 166 166
Lines 8882 8888 +6
==========================================
+ Hits 5687 5693 +6
Misses 2514 2514
Partials 681 681
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Even generated passwords should be audited, since nothing stops the random generator from creating one called "password" (if you only try long enough or are particularly unlucky).
Even generated passwords should be audited, since nothing stops the random generator from creating one called "password" (if you only try long enough or are particularly unlucky).
Even generated passwords should be audited, since nothing stops the random
generator from creating one called "password" (if you only try long enough or
are particularly unlucky).