Skip to main content

Finding leaked passwords in password-store

ยท 2 min read

I use password-store by ZX2C4 as my password manager of choice.

I also have been following Troy Hunt's project haveibeenpwned.com, this is a great tool that has received lots of praise for shining a light on just on likley it is that your credentials (emails or passwords) have already been compromised. Addionally he provides an API for checking your password aginst a database of known breached passwords.

Here is a short write-up about how 1Password.org has used this API to discourage the re-use of a known password.

I decided that I needed this functionality as well, so in following the footsteps of others I built an extension for password-store that you can use to check your password using the Have I Been Pwned: API V2.

Wait! Isn't it unsafe to send your password to a third-party?

Yes, absolutley. There is however a compromise that I find personally acceptable.

In short the solution is to NOT send the password in it's entirety to the API but rather hash the password and send a small piece of said hash to the API to return a list of possible hashes that match, from there you can compare the hashed password locally with the list returned from the API and verify if there is a match.

You can read a more in depth explanation here.

I use password-store, how can I get this extension?

clone the pass-extension-hibp repository and run make install

git clone https://github.com/manila/pass-extension-hibp && cd pass-extension-hibp && sudo make install

Here is a breif rundown of the code

After using some builtin functions in the password-store codebase to get and decrypt the password you want to check from your password store the password is immediatly SHA-1 hashed using OpenSSL

get_sha1() {
echo -n $1 | openssl sha1 | awk '{ print tolower($2) }'
}

Next we clip away the first 5 character of the password hash and include that in the API request URL.

curl -s https://api.pwnedpasswords.com/range/${password_hash:0:5}

Then if there are any hashes containing that string of 5 characters they will be returned in a list with a pwnage count immediately followign the possible hash. We loop through the hashed that are returned and determine if any fit the bill, if so then the password has previously been pwned and is NOT safe to use.

You can explore the source on github.