<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Haven't tried this patch but was looking to solve the same problem when I saw the blog post yesterday. There are a couple extensions out there that also implement this functionality. The first is able to check all passwords in the store and thus is what I ended up using.</div><div><br></div><div>[1] <a href="https://github.com/jamesridgway/pass-pwned">https://github.com/jamesridgway/pass-pwned</a></div><div>[2] <a href="https://github.com/alzeih/pass-pwned">https://github.com/alzeih/pass-pwned</a><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 17, 2019 at 4:49 PM Pass Word <<a href="mailto:passwordstore@89vx.net">passwordstore@89vx.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Someone asked on irc today for an option to check passwords against the <br>
Have I Been Pwned website to see if they are already compromised. It is <br>
probably extremely rare for a password generated with pass to already be <br>
on there but whatever, it is still somewhat useful to check other <br>
passwords you might have stored in pass.<br>
<br>
Only the first 5 chars of the sha1 hash of each password is sent to the <br>
site (k-anonymity).<br>
<br>
Requires wget.<br>
<br>
$ pass check<br>
/Users/me/.password-store/deleteme.gpg contains a password found on HIBP.<br>
<br>
<br>
<br>
<br>
diff --git a/man/pass.1 b/man/pass.1<br>
index 01a3fbe..c20482b 100644<br>
--- a/man/pass.1<br>
+++ b/man/pass.1<br>
@@ -89,6 +89,13 @@ for matching. \fIGREPOPTIONS\fP are passed to<br>
.BR grep (1)<br>
as-is. (Note: the \fIGREP_OPTIONS\fP environment variable functions as <br>
well.)<br>
.TP<br>
+\fBcheck\fP<br>
+Searches inside each decrypted password file for passwords found on the<br>
+\fBHave I Been Pwned\fP<br>
+(<a href="http://pwnedpasswords.com" rel="noreferrer" target="_blank">http://pwnedpasswords.com</a>)<br>
+website. Only the first five characters of the SHA1 sum of each password<br>
+are submitted.<br>
+.TP<br>
\fBfind\fP \fIpass-names\fP...<br>
List names of passwords inside the tree that match \fIpass-names\fP by <br>
using the<br>
.BR tree (1)<br>
@@ -287,6 +294,11 @@ Generate new password and copy it to the clipboard<br>
.br<br>
Copied Email/<a href="http://jasondonenfeld.com" rel="noreferrer" target="_blank">jasondonenfeld.com</a> to clipboard. Will clear in 45 seconds.<br>
.TP<br>
+Check for compromised passwords<br>
+.B zx2c4@laptop ~ $ pass check<br>
+.br<br>
+/Users/me/.password-store/deleteme.gpg contains a password found on HIBP<br>
+.TP<br>
Remove password from store<br>
.B zx2c4@laptop ~ $ pass remove Business/cheese-whiz-factory<br>
.br<br>
diff --git a/src/password-store.sh b/src/password-store.sh<br>
index d89d455..af3b649 100755<br>
--- a/src/password-store.sh<br>
+++ b/src/password-store.sh<br>
@@ -270,6 +270,8 @@ cmd_usage() {<br>
If put on the clipboard, it will be cleared in $CLIP_TIME <br>
seconds.<br>
$PROGRAM grep [GREPOPTIONS] search-string<br>
Search for password files containing search-string when <br>
decrypted.<br>
+ $PROGRAM check<br>
+ Search for password files containing passwords found on <br>
Have I Been Pwned.<br>
$PROGRAM insert [--echo,-e | --multiline,-m] [--force,-f] <br>
pass-name<br>
Insert new password. Optionally, echo the password back to <br>
the console<br>
during entry. Or, optionally, the entry may be multiline. <br>
Prompt before<br>
@@ -398,6 +400,22 @@ cmd_find() {<br>
tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs <br>
--ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( <br>
->|$)/\1\2/g'<br>
}<br>
<br>
+cmd_check() {<br>
+ local password passfile sha1 prefix rest<br>
+ while read -r -d "" passfile; do<br>
+ password="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | head -1)"<br>
+ [[ $? -ne 0 ]] && continue<br>
+ sha1=$(echo -n "$password" | $GPG --print-md sha1 | sed "s/ //g")<br>
+ prefix=$(echo "${sha1:0:5}")<br>
+ rest=$(echo "${sha1:5}")<br>
+ set +o pipefail<br>
+ if wget -q -O- <a href="https://api.pwnedpasswords.com/range/" rel="noreferrer" target="_blank">https://api.pwnedpasswords.com/range/</a>"$prefix" | <br>
grep -qi "$rest"<br>
+ then<br>
+ echo "$passfile" contains a password found on HIBP.<br>
+ fi<br>
+ done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg' <br>
-print0)<br>
+}<br>
+<br>
cmd_grep() {<br>
[[ $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [GREPOPTIONS] <br>
search-string"<br>
local passfile grepresults<br>
@@ -690,6 +708,7 @@ case "$1" in<br>
show|ls|list) shift; cmd_show "$@" ;;<br>
find|search) shift; cmd_find "$@" ;;<br>
grep) shift; cmd_grep "$@" ;;<br>
+ check) shift; cmd_check "$@" ;;<br>
insert|add) shift; cmd_insert "$@" ;;<br>
edit) shift; cmd_edit "$@" ;;<br>
generate) shift; cmd_generate "$@" ;;<br>
_______________________________________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com" target="_blank">Password-Store@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/password-store</a><br>
</blockquote></div>