Skip to content

ml4den/KeePass-Pwnage-Check

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
KeePass-pwnage-check.ps1
KeePass-pwnage-check.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Check KeePass Passwords for Pwnage

This script facilitates checking of KeePass passwords for pwnage - or in other words, it checks if they've been leaked online. It works with the haveibeenpwned API and PowerShell.

Instructions

  1. Secure your workspace (optional - see below).
  2. Download the script from this repo to your PC and open it in the Windows PowerShell ISE.
  3. Review the script code and make sure you understand how it works.
  4. Run Set-ExecutionPolicy Unrestricted -Scope Process which will allow the script to run.
  5. Run the script.
  6. When prompted, select your KeePass CSV export saved in a secure area.
  7. When the script is finished, look for a file containing "_pwned.csv" in the same folder.
  8. Open the file in Excel or another editor, review and change any pwned passwords.
  9. Don't panic. Just because a password has been leaked online, doesn't mean that the account(s) associated with it have been compromised.

On security and trust

The script utilises haveibeenpwned's k-anonymity API and works in PowerShell, which means that anyone can verify how this script works and trust that their password isn't provided to any third parties for the purposes of this check. Obviously disclosing passwords to third parties (no matter how trustworthy) or running arbitrary code on them is not a good idea. Users of this script are advised to read through it first and understand how it works. It is also a bad idea to export KeePass databases in clear text CSV form to unencrypted storage or other insecure locations. One way to quickly secure your workspace for the purposes of running this script is described below.

Securing the workspace

The KeePass export of the database shouldn't be saved as CSV to an unsecure location. One way to fox that would be to create a Cryptomator vault (open source) which can be used for this purpose and discarded.

  1. Install Cryptomator.
  2. Create a new vault and give it a very strong password generated by KeePass. The vault is just a bunch of encrypted files on disk that get mapped as a drive on your PC.
  3. Unlock the vault - this will map a new virtual drive on your computer.
  4. Use the new drive as the location where you save the KeePass CSV export.
  5. Lock and discard the vault or CSV files when finished.

What does the script do?

This script does the following:

  1. Get CSV data exported from KeePass.
  2. Hash the passwords in sha1.
  3. Save the first five characters of the sha1 hash in a separate field. That way it is more obvious in the code that it is not sending the full hash to the API.
  4. Send the short hash to the API and get a list of matches from haveibeenpwned.
  5. Check if any of the results match the full hash saved locally.
  6. Mark any matches as pwned and export the results in a new CSV file.

Disclaimers

This is not a "proper" PowerShell script. It has been designed to be readable by novice users and does not follow usual standards or conventions. It is meant to do one job and one job only - and that is to allow anyone to check password pwnage, while establishing trust in the process. If you're writing your own script based on this, you can check good practice conventions here.

About

Interract with haveibeenpwned via PowerShell

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages