On Thu, Jan 17, 2019 at 02:48:04PM -0800, Pass Word wrote: > Someone asked on irc today for an option to check passwords against the Have > I Been Pwned website to see if they are already compromised. It is probably > extremely rare for a password generated with pass to already be on there but > whatever, it is still somewhat useful to check other passwords you might > have stored in pass. > > Only the first 5 chars of the sha1 hash of each password is sent to the site > (k-anonymity). > > Requires wget.
For what it's worth, I've implemented this as an extension[1] which has the ability to check a single password or your entire store against either Have I Been Pwned or a local wordlist. Examples: Check all passwords in the store against the rockyou wordlist: $ pass audit all --wordlist=/usr/share/wordlists/rockyou.txt Check your password for GitHub to see if it is included in the HIBP list using the online API: $ pass audit --hibp github.com Check your password for GitHub to see if it is a dictionary word: $ pass audit check --wordlist=/usr/share/dict/words github.com [1] https://github.com/benburwell/pass-audit _______________________________________________ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store