Documentation
¶
Overview ¶
Package passphrase implements a provider that derives a 32-byte secret from a user-supplied passphrase using Argon2id. Intended to be enrolled 2+ times as offline recovery codes.
Index ¶
- Constants
- type Passphrase
- func (p *Passphrase) Derive(ctx context.Context, params map[string]string) ([]byte, error)
- func (p *Passphrase) Description() string
- func (p *Passphrase) Enroll(ctx context.Context, id string) (*provider.EnrollResult, error)
- func (p *Passphrase) EnrollOptions() []provider.EnrollOption
- func (p *Passphrase) EnrollWarning(values map[string]string) string
- func (p *Passphrase) InteractiveDerive() bool
- func (p *Passphrase) Type() string
- type Strength
Constants ¶
const ScoreThreshold = 3
ScoreThreshold is the minimum zxcvbn score cryptkey considers "not weak" for enrollment-time warnings. Scores at or above this pass silently.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Passphrase ¶
type Passphrase struct{}
func (*Passphrase) Description ¶
func (p *Passphrase) Description() string
func (*Passphrase) Enroll ¶
func (p *Passphrase) Enroll(ctx context.Context, id string) (*provider.EnrollResult, error)
func (*Passphrase) EnrollOptions ¶
func (p *Passphrase) EnrollOptions() []provider.EnrollOption
func (*Passphrase) EnrollWarning ¶
func (p *Passphrase) EnrollWarning(values map[string]string) string
func (*Passphrase) InteractiveDerive ¶
func (p *Passphrase) InteractiveDerive() bool
func (*Passphrase) Type ¶
func (p *Passphrase) Type() string
type Strength ¶
type Strength struct {
Score int // 0..4; higher is stronger
Entropy float64 // bits
CrackDisplay string // human-readable crack-time estimate (zxcvbn's own label)
}
Strength describes the estimated resistance of a passphrase to offline brute force. Cryptkey uses zxcvbn's classifier under the hood; the scores map roughly to:
0 too guessable ( < 10^3 guesses ) 1 very guessable ( < 10^6 guesses ) 2 somewhat guessable ( < 10^8 guesses ) ← default "weak" threshold 3 safely unguessable ( < 10^10 guesses ) 4 very unguessable ( >= 10^10 guesses )
Cryptkey's Argon2id stretching adds ~1–2 seconds per guess on top of zxcvbn's estimate, so a score of 2 is already expensive to attack in practice. We still warn below score 3 so users making a throwaway test profile aren't surprised when a determined attacker on rented GPU time eventually wins.
func ScorePassphrase ¶
ScorePassphrase returns a Strength estimate for the given passphrase. The check runs entirely offline against zxcvbn's bundled dictionary; no network calls, no disk I/O beyond the already-loaded process image.
Passing the []byte (rather than a string) keeps the hot path aligned with the rest of cryptkey's secret hygiene. zxcvbn itself takes a string for its API; we construct one here and accept the immutable-string window as the cost of using the library.
Source Files