[PATCH] Add command 'check' to check passwords against HIBP

Thu Jan 17 23:55:14 CET 2019

Haven't tried this patch but was looking to solve the same problem when I
saw the blog post yesterday. There are a couple extensions out there that
also implement this functionality. The first is able to check all passwords
in the store and thus is what I ended up using.

[1] https://github.com/jamesridgway/pass-pwned
[2] https://github.com/alzeih/pass-pwned

On Thu, Jan 17, 2019 at 4:49 PM Pass Word <passwordstore at 89vx.net> wrote:

> Someone asked on irc today for an option to check passwords against the
> Have I Been Pwned website to see if they are already compromised.  It is
> probably extremely rare for a password generated with pass to already be
> on there but whatever, it is still somewhat useful to check other
> passwords you might have stored in pass.
>
> Only the first 5 chars of the sha1 hash of each password is sent to the
> site (k-anonymity).
>
> Requires wget.
>
> $ pass check
> /Users/me/.password-store/deleteme.gpg contains a password found on HIBP.
>
>
>
>
> diff --git a/man/pass.1 b/man/pass.1
> index 01a3fbe..c20482b 100644
> --- a/man/pass.1
> +++ b/man/pass.1
> @@ -89,6 +89,13 @@ for matching. \fIGREPOPTIONS\fP are passed to
>   .BR grep (1)
>   as-is. (Note: the \fIGREP_OPTIONS\fP environment variable functions as
> well.)
>   .TP
> +\fBcheck\fP
> +Searches inside each decrypted password file for passwords found on the
> +\fBHave I Been Pwned\fP
> +(http://pwnedpasswords.com)
> +website.  Only the first five characters of the SHA1 sum of each password
> +are submitted.
> +.TP
>   \fBfind\fP \fIpass-names\fP...
>   List names of passwords inside the tree that match \fIpass-names\fP by
> using the
>   .BR tree (1)
> @@ -287,6 +294,11 @@ Generate new password and copy it to the clipboard
>   .br
>   Copied Email/jasondonenfeld.com to clipboard. Will clear in 45 seconds.
>   .TP
> +Check for compromised passwords
> +.B zx2c4 at laptop ~ $ pass check
> +.br
> +/Users/me/.password-store/deleteme.gpg contains a password found on HIBP
> +.TP
>   Remove password from store
>   .B zx2c4 at laptop ~ $ pass remove Business/cheese-whiz-factory
>   .br
> diff --git a/src/password-store.sh b/src/password-store.sh
> index d89d455..af3b649 100755
> --- a/src/password-store.sh
> +++ b/src/password-store.sh
> @@ -270,6 +270,8 @@ cmd_usage() {
>               If put on the clipboard, it will be cleared in $CLIP_TIME
> seconds.
>           $PROGRAM grep [GREPOPTIONS] search-string
>               Search for password files containing search-string when
> decrypted.
> +        $PROGRAM check
> +            Search for password files containing passwords found on
> Have I Been Pwned.
>           $PROGRAM insert [--echo,-e | --multiline,-m] [--force,-f]
> pass-name
>               Insert new password. Optionally, echo the password back to
> the console
>               during entry. Or, optionally, the entry may be multiline.
> Prompt before
> @@ -398,6 +400,22 @@ cmd_find() {
>       tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs
> --ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?(
> ->|$)/\1\2/g'
>   }
>
> +cmd_check() {
> +    local password passfile sha1 prefix rest
> +    while read -r -d "" passfile; do
> +        password="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | head -1)"
> +        [[ $? -ne 0 ]] && continue
> +        sha1=$(echo -n "$password" | $GPG --print-md sha1 | sed "s/ //g")
> +        prefix=$(echo "${sha1:0:5}")
> +        rest=$(echo "${sha1:5}")
> +        set +o pipefail
> +        if wget -q -O- https://api.pwnedpasswords.com/range/"$prefix" |
> grep -qi "$rest"
> +        then
> +            echo "$passfile" contains a password found on HIBP.
> +        fi
> +    done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg'
> -print0)
> +}
> +
>   cmd_grep() {
>       [[ $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [GREPOPTIONS]
> search-string"
>       local passfile grepresults
> @@ -690,6 +708,7 @@ case "$1" in
>       show|ls|list) shift;        cmd_show "$@" ;;
>       find|search) shift;        cmd_find "$@" ;;
>       grep) shift;            cmd_grep "$@" ;;
> +    check) shift;            cmd_check "$@" ;;
>       insert|add) shift;        cmd_insert "$@" ;;
>       edit) shift;            cmd_edit "$@" ;;
>       generate) shift;        cmd_generate "$@" ;;
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20190117/73028907/attachment.html>