[PATCH] Add command 'check' to check passwords against HIBP

Tobias Girstmair junkgir-passwd at yahoo.de
Thu Jan 17 23:58:45 CET 2019 

This already exists as the 'pass audit' extension.  
https://github.com/roddhjav/pass-audit/

I've contributed zxcvbn strength checking ;-)

On a whole, the pass project has moved to encouraging people to write 
extensions instead of extending the main script, as it has gotten way 
longer than zx2c4 et al probably ever intended.

lg

On Thu, Jan 17, 2019 at 02:48:04PM -0800, Pass Word wrote:
>Someone asked on irc today for an option to check passwords against 
>the Have I Been Pwned website to see if they are already compromised.� 
>It is probably extremely rare for a password generated with pass to 
>already be on there but whatever, it is still somewhat useful to check 
>other passwords you might have stored in pass.
>
>Only the first 5 chars of the sha1 hash of each password is sent to 
>the site (k-anonymity).
>
>Requires wget.
>
>$ pass check
>/Users/me/.password-store/deleteme.gpg contains a password found on HIBP.
>
>
>
>
>diff --git a/man/pass.1 b/man/pass.1
>index 01a3fbe..c20482b 100644
>--- a/man/pass.1
>+++ b/man/pass.1
>@@ -89,6 +89,13 @@ for matching. \fIGREPOPTIONS\fP are passed to
>�.BR grep (1)
>�as-is. (Note: the \fIGREP_OPTIONS\fP environment variable functions 
>as well.)
>�.TP
>+\fBcheck\fP
>+Searches inside each decrypted password file for passwords found on the
>+\fBHave I Been Pwned\fP
>+(http://pwnedpasswords.com)
>+website.� Only the first five characters of the SHA1 sum of each password
>+are submitted.
>+.TP
>�\fBfind\fP \fIpass-names\fP...
>�List names of passwords inside the tree that match \fIpass-names\fP 
>by using the
>�.BR tree (1)
>@@ -287,6 +294,11 @@ Generate new password and copy it to the clipboard
>�.br
>�Copied Email/jasondonenfeld.com to clipboard. Will clear in 45 seconds.
>�.TP
>+Check for compromised passwords
>+.B zx2c4 at laptop ~ $ pass check
>+.br
>+/Users/me/.password-store/deleteme.gpg contains a password found on HIBP
>+.TP
>�Remove password from store
>�.B zx2c4 at laptop ~ $ pass remove Business/cheese-whiz-factory
>�.br
>diff --git a/src/password-store.sh b/src/password-store.sh
>index d89d455..af3b649 100755
>--- a/src/password-store.sh
>+++ b/src/password-store.sh
>@@ -270,6 +270,8 @@ cmd_usage() {
>���� ������� If put on the clipboard, it will be cleared in $CLIP_TIME 
>seconds.
>���� ��� $PROGRAM grep [GREPOPTIONS] search-string
>���� ������� Search for password files containing search-string when 
>decrypted.
>+��� ��� $PROGRAM check
>+��� ������� Search for password files containing passwords found on 
>Have I Been Pwned.
>���� ��� $PROGRAM insert [--echo,-e | --multiline,-m] [--force,-f] 
>pass-name
>���� ������� Insert new password. Optionally, echo the password back 
>to the console
>���� ������� during entry. Or, optionally, the entry may be multiline. 
>Prompt before
>@@ -398,6 +400,22 @@ cmd_find() {
>���� tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs 
>--ignore-case "$PREFIX" | tail -n +2 | sed -E 
>'s/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g'
>�}
>
>+cmd_check() {
>+��� local password passfile sha1 prefix rest
>+��� while read -r -d "" passfile; do
>+��� ��� password="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | head -1)"
>+��� ��� [[ $? -ne 0 ]] && continue
>+��� ��� sha1=$(echo -n "$password" | $GPG --print-md sha1 | sed "s/ //g")
>+��� ��� prefix=$(echo "${sha1:0:5}")
>+��� ��� rest=$(echo "${sha1:5}")
>+��� ��� set +o pipefail
>+��� ��� if wget -q -O- https://api.pwnedpasswords.com/range/"$prefix" 
>| grep -qi "$rest"
>+��� ��� then
>+��� ��� ��� echo "$passfile" contains a password found on HIBP.
>+��� ��� fi
>+��� done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname 
>'*.gpg' -print0)
>+}
>+
>�cmd_grep() {
>���� [[ $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [GREPOPTIONS] 
>search-string"
>���� local passfile grepresults
>@@ -690,6 +708,7 @@ case "$1" in
>���� show|ls|list) shift;��� ��� cmd_show "$@" ;;
>���� find|search) shift;��� ��� cmd_find "$@" ;;
>���� grep) shift;��� ��� ��� cmd_grep "$@" ;;
>+��� check) shift;��� ��� ��� cmd_check "$@" ;;
>���� insert|add) shift;��� ��� cmd_insert "$@" ;;
>���� edit) shift;��� ��� ��� cmd_edit "$@" ;;
>���� generate) shift;��� ��� cmd_generate "$@" ;;
>_______________________________________________
>Password-Store mailing list
>Password-Store at lists.zx2c4.com
>https://lists.zx2c4.com/mailman/listinfo/password-store

More information about the Password-Store mailing list