[extension] pass-audit , a pass extension for auditing your password repository.

[Allan Odgaard]

I wrote the below ruby script myself to test all my passwords against 
the same service.

It’s tested on macOS, two of my passwords had been breached, both for 
last.fm.

I haven’t used the service in ages, but wanted to update my passwords 
nonetheless.

The last.fm breach was in March of 2012, so I expected both passwords to 
have been disabled.

I login to last.fm, no problem, and no info box that asks me to update 
password.

I then go ahead to update my password. I use apg to generate a random 
password.

Lo and behold, last.fm tells me my new password is too weak and I should 
pick another, LMFAO!

```ruby
#!/usr/bin/env ruby
require 'digest'
require 'shellwords'

PASSWORD_STORE_DIR = ENV['PASSWORD_STORE_DIR'] || 
File.expand_path('~/.password-store')

Dir.chdir(PASSWORD_STORE_DIR) do
   Dir.glob('**/*.gpg') do |file|
     path = "#{PASSWORD_STORE_DIR}/#{file}"
     pass = %x{ gpg -d #{path.shellescape} 2>/dev/null | head -n1 
}.chomp
     hash = Digest::SHA1.hexdigest(pass).upcase

     prefix, suffix = hash[0..4], hash[5..39]
     url = "https://api.pwnedpasswords.com/range/#{prefix}"
     response = %x{ curl -sL #{url.shellescape}|grep 
#{suffix.shellescape} }

     if $?.exitstatus == 0
       count = response.chomp.split(':')[1]

       dir, name = File.dirname(file), File.basename(file, '.gpg')
       subpath = dir == '.' ? name : "#{dir}/#{name}"
       puts "#{count} leaks of your password (‘#{pass}’) for 
#{subpath}"
     end
   end
end
```
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180225/1fc351b8/attachment.html>