A pass extension for checking against Have I Been Pwned.
Usage: pass pwned [--line,-l] [--all,-a] pass-name
Check HIBP to see if the password has been exposed in a breach
using SHA-1 and k-anonymity. Only the first five characters of
the password's SHA1 hash ever get sent from your computer.
# pass pwned truth/epsilonprogram.com
Good news — no pwnage found!
# pass pwned social/lifeinvader.com
Oh no - pwned!
This password has been seen 6 times before.
# pass pwned -a
truth/epsilonprogram.com.gpg
Good news — no pwnage found!
social/lifeinvader.com.gpg
Oh no - pwned!
This password has been seen 6 times before.
finance/lcn-exchange.com.gpg
Good news — no pwnage found!
finance/thebankofliberty.com.gpg
Good news — no pwnage found!
# pass pwned "finance/*"
finance/lcn-exchange.com.gpg
Good news — no pwnage found!
finance/thebankofliberty.com.gpg
Good news — no pwnage found!
- pass-pwned generates the sha1sum of the password.
- The sha1sum is then reduced to the first five characters.
- This prefix character string is sent to the HIBP password api.
- HIBP responds with a list of matching sha1sum suffixes.
- pass-pwned checks to see if the suffix is in the list.
See this blog post for a more thorough description of the process, or this blog post for even more details.
# sudo make install
'./pwned.bash' -> '/usr/lib/password-store/extensions/pwned.bash'
# pass pwned --version
pass-pwned v0.1.0