[PATCH] Add command 'check' to check passwords against HIBP

Pass Word passwordstore at 89vx.net
Thu Jan 17 23:48:04 CET 2019

Someone asked on irc today for an option to check passwords against the 
Have I Been Pwned website to see if they are already compromised.  It is 
probably extremely rare for a password generated with pass to already be 
on there but whatever, it is still somewhat useful to check other 
passwords you might have stored in pass.

Only the first 5 chars of the sha1 hash of each password is sent to the 
site (k-anonymity).

Requires wget.

$ pass check
/Users/me/.password-store/deleteme.gpg contains a password found on HIBP.

diff --git a/man/pass.1 b/man/pass.1
index 01a3fbe..c20482b 100644
--- a/man/pass.1
+++ b/man/pass.1
@@ -89,6 +89,13 @@ for matching. \fIGREPOPTIONS\fP are passed to
  .BR grep (1)
  as-is. (Note: the \fIGREP_OPTIONS\fP environment variable functions as 
+Searches inside each decrypted password file for passwords found on the
+\fBHave I Been Pwned\fP
+website.  Only the first five characters of the SHA1 sum of each password
+are submitted.
  \fBfind\fP \fIpass-names\fP...
  List names of passwords inside the tree that match \fIpass-names\fP by 
using the
  .BR tree (1)
@@ -287,6 +294,11 @@ Generate new password and copy it to the clipboard
  Copied Email/jasondonenfeld.com to clipboard. Will clear in 45 seconds.
+Check for compromised passwords
+.B zx2c4 at laptop ~ $ pass check
+/Users/me/.password-store/deleteme.gpg contains a password found on HIBP
  Remove password from store
  .B zx2c4 at laptop ~ $ pass remove Business/cheese-whiz-factory
diff --git a/src/password-store.sh b/src/password-store.sh
index d89d455..af3b649 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -270,6 +270,8 @@ cmd_usage() {
              If put on the clipboard, it will be cleared in $CLIP_TIME 
          $PROGRAM grep [GREPOPTIONS] search-string
              Search for password files containing search-string when 
+        $PROGRAM check
+            Search for password files containing passwords found on 
Have I Been Pwned.
          $PROGRAM insert [--echo,-e | --multiline,-m] [--force,-f] 
              Insert new password. Optionally, echo the password back to 
the console
              during entry. Or, optionally, the entry may be multiline. 
Prompt before
@@ -398,6 +400,22 @@ cmd_find() {
      tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs 
--ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( 

+cmd_check() {
+    local password passfile sha1 prefix rest
+    while read -r -d "" passfile; do
+        password="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | head -1)"
+        [[ $? -ne 0 ]] && continue
+        sha1=$(echo -n "$password" | $GPG --print-md sha1 | sed "s/ //g")
+        prefix=$(echo "${sha1:0:5}")
+        rest=$(echo "${sha1:5}")
+        set +o pipefail
+        if wget -q -O- https://api.pwnedpasswords.com/range/"$prefix" | 
grep -qi "$rest"
+        then
+            echo "$passfile" contains a password found on HIBP.
+        fi
+    done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg' 
  cmd_grep() {
      [[ $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [GREPOPTIONS] 
      local passfile grepresults
@@ -690,6 +708,7 @@ case "$1" in
      show|ls|list) shift;        cmd_show "$@" ;;
      find|search) shift;        cmd_find "$@" ;;
      grep) shift;            cmd_grep "$@" ;;
+    check) shift;            cmd_check "$@" ;;
      insert|add) shift;        cmd_insert "$@" ;;
      edit) shift;            cmd_edit "$@" ;;
      generate) shift;        cmd_generate "$@" ;;

More information about the Password-Store mailing list