Skip to content

Verifying passwords against HIBP#1520

Closed
louib wants to merge 1 commit intokeepassxreboot:developfrom
louib:have_i_been_pwned
Closed

Verifying passwords against HIBP#1520
louib wants to merge 1 commit intokeepassxreboot:developfrom
louib:have_i_been_pwned

Conversation

@louib
Copy link
Copy Markdown
Member

@louib louib commented Feb 23, 2018

New CLI command to verify a password database against the HIBP database dump.

Motivation and context

Was inspired by https://news.ycombinator.com/item?id=16446020

How has this been tested?

Locally.

Screenshots (if appropriate):

$ keepassxc-cli pawned ~/1.kdbx ~/Downloads/pwned-passwords-2.0.txt
Insert password to unlock /home/louib/1.kdbx: 
Password for entry2 (fdd9d458b34d1157ffa3053787674971) was pawned 14434 times.
Password for entry1 (eff7485a277952b289456b3d71a3b300) was pawned 5401 times.
Password for entry3 (08a7c64479e9a54cc22f93439bd0cd7a) was pawned 5401 times.

Types of changes

  • ✅ New feature (non-breaking change which adds functionality)

Checklist:

  • ✅ I have read the CONTRIBUTING document. [REQUIRED]
  • ✅ My code follows the code style of this project. [REQUIRED]
  • ✅ All new and existing tests passed. [REQUIRED]
  • ✅ I have compiled and verified my code with -DWITH_ASAN=ON. [REQUIRED]
  • ✅ My change requires a change to the documentation and I have updated it accordingly.

@louib louib requested a review from a team February 23, 2018 21:44
@TheZ3ro
Copy link
Copy Markdown
Contributor

TheZ3ro commented Feb 23, 2018

Personally I would do a s/pawned/pwned/ since it's the correct leetspeak term https://en.wikipedia.org/wiki/Pwn

Side note: This PR is based on an offline SHA1 database of pwned password, instead of #1083 (comment) that use the service API

@droidmonkey
Copy link
Copy Markdown
Member

droidmonkey commented Feb 23, 2018

Personally I would not add sha1 to the CryptoHash class, however convienent. Either make the gcrypt calls directly from the cli code or create a new class (SHA1Hash). We don't want sha1 related to crypto in any way.

@droidmonkey droidmonkey added this to the v2.4.0 milestone Feb 24, 2018
@louib louib closed this Mar 31, 2018
@droidmonkey droidmonkey removed this from the v2.4.0 milestone Aug 29, 2018
@louib louib mentioned this pull request Feb 16, 2019
Merged
@phoerious phoerious added pr: new feature Pull request adds a new feature and removed new feature labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature: CLI pr: new feature Pull request adds a new feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@louib @TheZ3ro @droidmonkey @phoerious