audit /audit summary is broken/regressed

[leogott]

Summary

• gopass audit (--failed) does not give a summary as it previously did
• instead, each password individually reports all the successful and failed checks, without a summary
• and each check looks like a failed one, even when ok
• the reported age (as in time or oldness, not the other age) is wrong (time since of last recipient add instead of since most recent change)
• the reported age is formatted weirdly and way too precise

$ gopass version
gopass 1.15.11 go1.21.4 linux amd64
$ gopass audit
Auditing passwords for common flaws ...
Checking 999 secrets. This may take some time ...

] 999 / 999 [Goooooooooooooooooooooooooooooooooooooooooooooooooooopass] 100.00% 
Account/account.example.com (age: 45h45m19.491782411s)
❌ [none] zxcvbn: ok
❌ [none] crunchy: ok
❌ [none] equals-name: ok
Account/accounts.example2.com (age: 45h45m19.492260001s)
❌ [none] equals-name: ok
❌ [warning] crunchy: Password is too systematic
❌ [warning] zxcvbn: weak password (2 / 4)

[...]

Account/accounts.example3.net (age: 45h45m19.49177853s)
❌ [none] crunchy: ok
❌ [none] equals-name: ok
❌ [none] zxcvbn: ok
2024/03/05 15:51:12 weak password or duplicates detected
$

Fig 1: audit output. broken a.f.

Steps To Reproduce

1. $ gopass audit

Expected behavior

This is what it used to look like

$ gopass version
gopass 1.14.3 go1.18.3 linux amd64
<root>     -  gpg 2.3.7 - gitfs 2.40.1
Available Crypto Backends: age, gpgcli, plain
Available Storage Backends: fossilfs, fs, gitfs

Your version (1.14.3) of gopass is out of date!
The latest version is 1.15.11.
You can update by downloading from https://www.gopass.pw/#install or via your package manager
$ gopass audit
Auditing passwords for common flaws ...
Checking 999 secrets. This may take some time ...

] 999 / 999
[Goooooooooooooooooooooooooooooooooooooooooooooooooooopass] 100.00%
Detected a shared secret for:
	- Account/example.de
	- Service/example.de
Password is too short:
	- Account/another-example.de/example
weak password (0 / 4):
	- Account/another-example.de/example
Password is mangled, but too common / from a dictionary:
	- Account/example.com
Password is too systematic:
	- Account/yet-another-example.de
	- Folder/quite-a-list-of-examples.de
weak password (2 / 4):
[...]

Fig 2: audit summary, not perfect but quite alright

Environment

• OS: Fedora Linux 36 and Pop!OS 22.04 LTS (it looked pretty similar on the latter, but I'd have to check if it was identical)
• gopass Version: v1.15.11 (only applies to fig1 )
• Installation method: github release (only applies to fig1 )

Additional context

[dominikschulz]

I didn't realize this looked so odd since the last change. TBH my recent changes were focused more on the HTML output than the CLI so I might have missed some of the regressions. Some things are obvious (like the duration format) and easy to change.

But other might require more changes, like bringing back the summary. Let's see what we can do.

[dominikschulz]

the reported age (as in time or oldness, not the other age) is wrong (time since of last recipient add instead of since most recent change)

I don't think there is anythink we can do about this. Currently we're checking the age of the latest revision of the secret. If you modify recipients after changing the password this will show up as the age. I can't think of a generic way (i.e. one thats compatible with vanilla pass) that would properly detect the password age. We would need additional metadata for that. And once we introduce that all existing secrets for all users will show a wrong age until everyone has changed all their passwords with gopass. And when manually editing a secret users will definitely not always update that metadata.

I'm sorry, but that's the downside of using a flexible and transparent data format that tries to be compatible with other projects.

[leogott]

Thanks for the reply!
I believe it would be possible to get a better password age warning, just by matching rcs commit messages,
(and/or printing it as "[guesstimated age] or older",) and I might just give it a shot!
I'll outline my idea in a new issue, if that's alright?

[dominikschulz]

Sounds good. Feel free to propose something. The other issues you raised should be taken care off by my PR once that's merged.