[PATCH] Add command 'check' to check passwords against HIBP
Ben Burwell
password-store at benburwell.com
Fri Jan 18 03:54:26 CET 2019
On Thu, Jan 17, 2019 at 02:48:04PM -0800, Pass Word wrote:
> Someone asked on irc today for an option to check passwords against the Have
> I Been Pwned website to see if they are already compromised. It is probably
> extremely rare for a password generated with pass to already be on there but
> whatever, it is still somewhat useful to check other passwords you might
> have stored in pass.
>
> Only the first 5 chars of the sha1 hash of each password is sent to the site
> (k-anonymity).
>
> Requires wget.
For what it's worth, I've implemented this as an extension[1] which has the
ability to check a single password or your entire store against either Have I
Been Pwned or a local wordlist.
Examples:
Check all passwords in the store against the rockyou wordlist:
$ pass audit all --wordlist=/usr/share/wordlists/rockyou.txt
Check your password for GitHub to see if it is included in the HIBP list using
the online API:
$ pass audit --hibp github.com
Check your password for GitHub to see if it is a dictionary word:
$ pass audit check --wordlist=/usr/share/dict/words github.com
[1] https://github.com/benburwell/pass-audit
More information about the Password-Store
mailing list