[PATCH] Add command 'check' to check passwords against HIBP

Ben Burwell password-store at benburwell.com
Fri Jan 18 03:54:26 CET 2019

On Thu, Jan 17, 2019 at 02:48:04PM -0800, Pass Word wrote:
> Someone asked on irc today for an option to check passwords against the Have
> I Been Pwned website to see if they are already compromised.  It is probably
> extremely rare for a password generated with pass to already be on there but
> whatever, it is still somewhat useful to check other passwords you might
> have stored in pass.
> Only the first 5 chars of the sha1 hash of each password is sent to the site
> (k-anonymity).
> Requires wget.

For what it's worth, I've implemented this as an extension[1] which has the
ability to check a single password or your entire store against either Have I
Been Pwned or a local wordlist.


Check all passwords in the store against the rockyou wordlist:

  $ pass audit all --wordlist=/usr/share/wordlists/rockyou.txt

Check your password for GitHub to see if it is included in the HIBP list using
the online API:

  $ pass audit --hibp github.com

Check your password for GitHub to see if it is a dictionary word:

  $ pass audit check --wordlist=/usr/share/dict/words github.com

[1] https://github.com/benburwell/pass-audit

More information about the Password-Store mailing list