this is my life now. infinite frustration cast upon me by an evil curse \

2026-05-23 11:40:03 -06:00
parent bc20acec0f
commit 6b71b15408
3 changed files with 7 additions and 94 deletions
@@ -69,3 +69,8 @@ todo
  - shred all erronious files and dirs
 - cleaned up code
 - better rng
 - better passphrase check
  - checks for exact match
  - minimum of 35 chars
  - checks with cracklib-check
  - checks online with haveibeenpwned.com
@@ -1,5 +1,5 @@
 #!/bin/bash
-# packages: 7zip, shred, secure-delete, cracklib-runtime
+# packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl
 set -e
 unix_seconds=$(date +%s)
 key_path="./private_ed25519_${unix_seconds}"
@@ -1,92 +0,0 @@
 #!/usr/bin/env bash
 # Enable strict error management
 set -o errexit
 set -o errtrace
 set -o pipefail
 # ==============================================================================
 # Comprehensive Passphrase Audit Function
 # ==============================================================================
 audit_passphrase() {
    local raw_password="$1"
    if [[ -z "$raw_password" ]]; then
        echo "[ERROR] No passphrase provided for validation." >&2
        exit 2
    fi
    # --------------------------------------------------------------------------
    # GATE 1: Minimum Length Verification (35+ Characters)
    # --------------------------------------------------------------------------
    local pass_len="${#raw_password}"
    if [ "$pass_len" -lt 35 ]; then
        echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35."
        exit 1
    fi
    echo "  [PASS] Length verification satisfied ($pass_len characters)."
    # --------------------------------------------------------------------------
    # GATE 2: Local Dictionary Check (cracklib-check)
    # --------------------------------------------------------------------------
    # cracklib-check reads from stdin and outputs 'password: status'
    # If secure, the status string reads "OK"
    if ! command -v cracklib-check &> /dev/null; then
        echo "[WARN] cracklib-check binary not found. Skipping dictionary audit." >&2
    else
        local cracklib_result
        cracklib_result=$(echo "$raw_password" | cracklib-check | cut -d':' -f2 | xargs)
        if [[ "$cracklib_result" != "OK" ]]; then
            echo "❌ REJECTED by cracklib-check: $cracklib_result"
            exit 1
        fi
        echo "  [PASS] Local dictionary and structural complexity audit clear."
    fi
    # --------------------------------------------------------------------------
    # GATE 3: Remote Anonymized Leak Check (HIBP API via k-Anonymity)
    # --------------------------------------------------------------------------
    local full_hash
    full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}')
    local prefix="${full_hash:0:5}"
    local suffix="${full_hash:5}"
    local api_url="https://api.pwnedpasswords.com/range/$prefix"
    local response
    if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then
        echo "[FATAL] Failed to communicate with HIBP API." >&2
        exit 3
    fi
    local match
    match=$(echo "$response" | grep -i "^$suffix:")
    if [[ -n "$match" ]]; then
        local pwn_count
        pwn_count=$(echo "$match" | cut -d':' -f2 | tr -d $'\r')
        echo "❌ VULNERABLE: This passphrase has appeared in $pwn_count known public breaches."
        exit 1
    else
        echo "✅ SUCCESS: Passphrase meets all local criteria and was not found in HIBP records."
        return 0
    fi
 }
 # ==============================================================================
 # Execution Example
 # ==============================================================================
 echo "=== System Passphrase Security Enforcer ==="
 read -r -s -p "Enter a new secure passphrase (35+ chars): " user_input
 echo ""
 # Run the complete pipeline
 audit_passphrase "$user_input"
 exit_status=$?
 # Instantly wipe raw secret text from memory space
 unset user_input
 exit "$exit_status"