A pass extension for auditing your password repository.
pass audit is a password-store extension for auditing your password repository.
Passwords will be checked against the Python implementation of Dropbox'
zxcvbn algorithm and Troy Hunt's Have I Been Pwned Service.
It supports safe breached password detection from haveibeenpwned.com
using a K-anonymity method. Using this method, you do not need to
(fully) trust the server that stores the breached password. You should read the
security consideration section for more information.
Warning This extension is still under development. As of today, it only supports password breach detection from HIBP. Much more features are planned including but not limited to:
- Full support for haveibeenpwned API,
- Extended support for password breached API,
- Fully featured, local password store analysis.
usage: pass audit [-h] [-V] [paths]
A pass extension for auditing your password repository. It supports safe
breached password detection from haveibeenpwned.com using K-anonymity method.
positional arguments:
paths Path to audit in the password store.
optional arguments:
-h, --help show this help message and exit
-q, --quiet Be quiet.
-v, --verbose Be verbose.
-V, --version Show the program version and exit.
More information may be found in the pass-audit(1) man page.
See man pass-audit for more information.
Audit a subfolder for pwned passwords
pass audit goodpasswords/
(*) None of the 7 passwords tested are breached.
. But it does not means they are strong.
pass audit pwnedpasswords/
w Password breached: password from Password/pwned/5 has been breached 3303003 time(s).
w Password breached: correct horse battery staple from Password/pwned/2 has been breached 2 time(s).
[x] Error: 7 passwords tested and 2 breached passwords found.
. You should update them with 'pass-update'.
This program uses K-anonymity to retrieve the knowledge of breached passwords from HIBP server. K-anonymity applied to breached password check on an untrusted remote server is a recent cryptographic approach. It means only the first five characters of the SHA1 hash of your password is sent to the server. It offers decent anonymity; nevertheless, it is not an entirely secure solution.
More reading:
- https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
- https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
Requirements
pass 1.7.0or greater.python3(python 3.4, 3.5 and 3.6 are supported)python-requests- Debian/Ubuntu:
sudo apt-get install python3-requests - OSX:
pip3 install requests
- Debian/Ubuntu:
zxcvbn-python(pip3 install zxcvbn)
From git
git clone https://github.com/roddhjav/pass-audit/
cd pass-audit
sudo make install # For OSX: make install PREFIX=/usr/localArchLinux
pass-audit is available in the Arch User Repository.
pacaur -S pass-audit # or your preferred AUR install methodStable version
wget https://github.com/roddhjav/pass-audit/releases/download/v0.1/pass-audit-0.1.tar.gz
tar xzf pass-audit-0.1.tar.gz
cd pass-audit-0.1
sudo make install # For OSX: make install PREFIX=/usr/localReleases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC.
You should check the key's fingerprint and verify the signature:
wget https://github.com/roddhjav/pass-audit/releases/download/v0.1/pass-audit-0.1.tar.gz.asc
gpg --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC
gpg --verify pass-audit-0.1.tar.gz.ascFeedback, contributors, pull requests are all very welcome.
- Tobias Girstmair (zxcvbn)
Copyright (C) 2018 Alexandre PUJOL and Contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.