v1.2.0: Mobile-friendly character grouping

Mobile-friendly character grouping

This release adds support for grouping of characters in a mobile-friendly manner. Entering a random string of characters with a smartphone touch screen is tedious and error prone due to the need to toggle keypads to gain access to different character tables. For this reason, this feature groups the characters of the generated password in "keypad-order". It does so by groupoing the characters into character groups. The following precedense is used: Upper-case characters, lower-case characters, numeric values, any other character.

Example:

$ apg-go -C -f 20 -n 1 -g
CETMPGGxuamj346!)>})

Please note that this feature makes the generated passwords much more predictable and lowers the entropy of the generated password. Please use this feature with caution

What's Changed

• Add SPDX license headers in scorecard.yml by @wneessen in #61
• Create codeql.yml by @wneessen in #64
• Add read permissions to GitHub workflows by @wneessen in #67
• Create SECURITY.md by @wneessen in #68
• Add fuzzing by @wneessen in #69
• [StepSecurity] Apply security best practices by @step-security-bot in #71
• Bump codecov/codecov-action from 3.1.6 to 4.1.0 by @dependabot in #75
• Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in #72
• Bump docker/login-action from 1.9.0 to 3.1.0 by @dependabot in #73
• Bump github/codeql-action from 2.2.4 to 3.24.7 by @dependabot in #74
• Bump ossf/scorecard-action from 2.1.2 to 2.3.1 by @dependabot in #76
• Add OpenSSF Best Practices badge to README.md by @wneessen in #77
• Add CONTRIBUTING.md with contribution guidelines by @wneessen in #78
• Bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in #79
• Bump fsfe/reuse-action from 1.3.0 to 3.0.0 by @dependabot in #80
• Bump actions/upload-artifact from 3.1.0 to 4.3.1 by @dependabot in #81
• Bump github/codeql-action from 3.24.7 to 3.24.8 by @dependabot in #82
• Bump docker/setup-buildx-action from 2.10.0 to 3.2.0 by @dependabot in #83
• Bump sonarsource/sonarqube-scan-action from 1b9d398800bf807ad36901b351fff52deba642d6 to 9ad16418d1dd6d28912bc0047ee387e90181ce1c by @dependabot in #87
• Bump docker/metadata-action from 3.3.0 to 5.5.1 by @dependabot in #86
• Bump docker/build-push-action from 3.3.1 to 5.3.0 by @dependabot in #85
• Bump actions/setup-go from 3.5.0 to 5.0.0 by @dependabot in #84
• Bump github/codeql-action from 3.24.8 to 3.24.9 by @dependabot in #89
• Add mobile-friendly character groupoing by @wneessen in #90
• Update workflows to trigger on specific file changes by @wneessen in #91
• Remove cosign files, since we use GH for Docker by @wneessen in #92
• Add Go install instructions to README by @wneessen in #94
• Add new test cases and rearrange existing ones by @wneessen in #95
• Bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in #96
• Bump sonarsource/sonarqube-scan-action from 9ad16418d1dd6d28912bc0047ee387e90181ce1c to 53c3e3207fe4b8d52e2f1ac9d6eb1d2506f626c0 by @dependabot in #97
• Bump golang from 0b55ab8 to c4fb952 by @dependabot in #98
• Add logo to README and release package by @wneessen in #99

New Contributors

• @step-security-bot made their first contribution in #71

Full Changelog: v1.1.0...v1.2.0

v1.1.0: Binary mode

This release adds a new mode: binary mode. This new mode generates a binary secret with full 256 bites of randomness. Due to the nature of the mode, it will ignore most of the available options. The only available options for this mode are: -f to set the length of the returned secret in bytes, -bh to tell apg-go to output the generated secret in hexadecial representation and -bn to instruct apg-go to return a newline after the generated secret. Any other option available in the other modes will be ignored.

This mode can be useful for example if you need to generate a AES-256 encryption key. Since 32 bytes is the default length for the secret generation in this mode, you can simply generate a secret key with the following command:

$ apg -a 3 -bh
a1cdab8db365af3d70828b1fe43b7896190c157ad3f1ae2a0a1d52ec1628c6b5

For ease for readability we used the -bh flag, to instruct apg-go to output the secret in its hexadecimal representation

What's Changed

• Add test for excluded characters in config by @wneessen in #55
• GoReportCard cleanup by @wneessen in #56
• Update README with detailed installation instructions by @wneessen in #57
• Fix typos by @wneessen in #58
• Add examples section to README.md and pin-generator example by @wneessen in #59
• Add binary mode for secret generation by @wneessen in #60

Full Changelog: v1.0.0...v1.1.0

v1.0.0: Full rewrite, better API and new features

Welcome to apg-go v1

This is a full rewrite of apg-go! We've changed the complete API to make it more accessible to developers that want to make sure of apg-go's functionality in their own codebase. Not only that but also is the code base much cleaner and has almost full test coverage now. We've also changed the way on how we release. Instead of using Github actions we now make use of the incredible GoReleaser, allowing us to have pre-built packages for lots of OS/architectures as well as pre-compiled packages for lots of Linux distributions. Everything is also now GPG signed for improved security.

New features

New API

Since v1 is full rewrite, the API has changed completely. Everything is now bound to a Generator, while the password requirements are bound to a Config. The Generator will use the Config for all the password generation tasks.

Here is a simple code example that shows how easy and accessible the API now is:

package main

import (
        "fmt"

        "github.com/wneessen/apg-go"
)

func main() {
        config := apg.NewConfig(
                apg.WithAlgorithm(apg.AlgoRandom),
                apg.WithModeMask(apg.ModeSpecial|apg.ModeNumeric|apg.ModeLowerCase|apg.ModeUpperCase),
                apg.WithFixedLength(15))
        generator := apg.New(config)
        password, err := generator.Generate()
        if err != nil {
                panic(err)
        }
        fmt.Println("Your password:", password)
}

For full details, check the Godoc reference.

Coinflip mode

Sometimes you just want to quickly perform a simple, but random coinflip. Since v1.0.0 apg-go has a coinflip mode, which will return either "Heads" or "Tails". To use coinflip mode, use the -a 2 argument:

$ ./apg -n 10 -a 2
Tails
Tails
Heads
Heads
Tails
Tails
Tails
Tails
Heads
Heads

Minimum required characters

Even though in apg-go you can select what kind of characters are used for the password generation, it is
not guaranteed, that if you request a password with a numeric value, that the generated password will
actually have a numeric value. Since v1.0.0 apg-go has a new set of arguments, that let's you define
a minimum amount of characters of a specific character class to be included in the generated password.
This can be requested with the -mL, -mN, -mS and -mU arguments. Each stands for the corresponding
character class. If one of the arguments is give, apg-go will generate passwords until the requested amount
of characters of the corresponding class is given.

Note on minimum characters: Please keep in mind, that due to the way the "minimum amount" feature works,
the calculation time for passwords can increase and if the amount is set too high, it can result in apt-go
never being able to finish the job.

Example:

$ ./apg -n 10 -a 1 -M NLUs -f 20 -mN 3
kqFG935E280LvTFUbJ4M
RVBJAI5tJ6hy6oWrNfXG
uy1IWBEoOQFyG66VrLqu
T5k9oKieImvJ9hxePfHt
0TTpGzMUje6mU7IXaSII
gvDjPmlj8J6glR0iy0h4
C5OP3Ph7bx173v0gRNsn
SEuP7I3en6ai9OuHvNSs
yira1uPQ8qmo5OKUM4Er
bu0nzhjoKn8Uiy3H2RjD

Better test coverage

We now have actul unit tests in the apg-go code base. Currently the coverage is ~85% and we are working to improve it even more- where possible.

Changelog

Full Changelog: v0.4.1...v1.0.0

v0.4.1: Maintenance and dockerization release

This version is mainly a maintenance release.

Mentionworthy changes

• 81067bd fixes a typo (Thanks to @aberoham for the PR)
• 9f3c76c Integrates with our SonarQube instance for static code analysis
• b134875 Bumps the go-hibp library to v1.0.2
• 1297c5a Introduces dockerization

Dockerization

We now provide a docker container of apg-go via the Github docker registry.

• Download the image:

  $ docker pull ghcr.io/wneessen/apg-go:main

• Run the image:

  $ docker run ghcr.io/wneessen/apg-go:main

v0.4.0: Pronouncable passwords and optimizations

New features

Pronouncable passwords

Initially pronouncable passwords were not part of apg-go, since the FIPS-181 has been withdrawn in 2015. Due to user requests (see #27) with this release we'll be adding prouncable passwords using the Koremutake sylable system. It works analogous to the original "apg" by setting the -a flag to 0. Spelled out pronounciation can be displayed with the -t flag.

Enhancements

apg-go package and CLI client separated

To allow other Go programmers to make use of apg-go, the code of the CLI and the actual package have been separated.

Faster password generation

With #37 we have optimized the password generation code. We are using bitmask switching now, which turns out to be almost 10x faster than the original code.

HIBP support cleanup

The HIBP code has been removed from the apg-go package and has been removed with the much more versatile go-hibp package.

v0.4.0-rc1

This is the release candiate 1 for the v0.4.0 release. Main changes are the separation of the CLI and the actual library code, HIBP has been replaced with go-hibp and pronouncable passwords have been added.

v0.3.2: parameter switchablity, HIBP and better README

New features

HIBP support

Even though the generated passwords are generated in a secure way, there is a minimal chance, that the same password was used by someone before and this password was part of a leak. If you want to be on the safe side, you can now use the -p parameter, to have your newly generated password against the HIBP (https://haveibeenpwned.com) database. This feature is disabled by default, since it requires internet access and also the API call might take ~500ms to 1sec.

Bug fixes

Parameter switchability

The previous behavior was wrong in a way, that default values like "use lower case" defaulted to true and using the -L param would not set it to false, but simple keep the true default which made the parameter useless. Now all parameters still use the same defaults but setting the corresponding flag on the CLI will negate the default, so using -L on the CLI would set "useLowerCase" to false instead of the default of true.

Enhancements

The README was lacking some usage examples. As requested in #25, the README has been updated with several examples on the different parameters.

Contributions

Thanks to @smortex fixing an oversight in the usage output (#24)

v0.3.1: New password length behaviour

To address issue #13, the password length behaviour of the
original APG has been reproduced. Previously, when a minLength
of 5 and a maxLength of 10 was given, apg-go se the pwLength to
the preferred maxLength.

With v0.3.1 it will choose a random length between minLength and
maxLength instead, same as the original C-lang apg did. For this
the minLength has been defaulted to a sane value of 12 (instead
of the 8 of the original apg). The default for maxLength stayed
at 20.

Also the default number of generated passwords has been changed
from 1 to 6, to replicate the behaviour of the original apg.

v0.3.0: Unified the naming convention

There was a mixup of "Automated" and "Advanced" all over the place. This has been unified to "Automated"

v0.2.9: Replaced standard go-help with custom usage text

Merge pull request #7 from wneessen/dev

Dev