Useful command line to scan the password store for anything in the 'pwned-passwords-1.0.txt list'

[Thomas Harning Jr.]

The pwned-passwords-1.0.txt file is a massive but sorted list of sha1
hashes.

grep takes forever to go through it for a single password (it doesn't know
anything about digging through sorted files)
.. on the other hand, a tool I found to be helpful is:
sgrep - https://sourceforge.net/projects/sgrep/
Which assumes a file with sorted lines and does a binary search through it.

With that tool installed, I can dig through my password database of some
300 encrypted passwords, decrypt them, hash them, and find them in the file
in about a minute total (slow machine with encrypted magnetic storage).

Here's the command line used:
find ~/.password-store -name '*.gpg' -exec sh -c "/usr/local/bin/sgrep
\$(gpg2 -d -q < \"{}\" | head -n 1 | tr -d '\\n' | sha1sum | cut -f 1 '-d '
| tr [a-z] [A-Z]) pwned-passwords-1.0.txt" \; -printf "MATCH %f with "
-exec sh -c "gpg2 -d -q < \"{}\" | head -n1" \;

I imagine this sort of thing might be useful as a plugin and broken out
into many lines, as it's a mess... but I thought it'd be very helpful.

It does end up with some false positives if you store empty password
fields, but it is useful nonetheless.

If there's any other massive password stores to scan against, perhaps we
can setup a wiki page with references to password dumps and references on
how to use this (in this case a shell script + sgrep to go through it).

In general, a randomly generated password should probably not ever match
the list, but for dealing with old accounts / manually generated passwords
- it seems an invaluable utility.
-- 
Thomas Harning Jr. (http://about.me/harningt)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170804/99d17b05/attachment.html>