Checks a KeePass (Wikipedia) database against the Have I Been Pwned service.
Note: this tool performs network requests, but send only a fraction of the password hash, thus protecting your password.
- KeePwn opens the database (as read-only),
- iterate over all entries,
- retrieve the password,
- hashes it,
- get the first chars of the hash to query the HIBP password API,
- check whether the remaining of the password hash is present in the API's response,
- prints to the terminal the result,
$ keepwn --help
KeePwn 0.1
Grégoire Surrel
Checks a KeePass database against the Have I Been Pwned service (https://haveibeenpwned.com/)
Note: this tool performs network requests, but send only a fraction of the password hash,
thus protecting your password.
USAGE:
keepwn [FLAGS] <INPUT>
FLAGS:
-e, --email List all the emails from the database
-h, --help Prints help information
-p, --password Check whether your passwords has been leaked
-V, --version Prints version information
ARGS:
<INPUT> Sets the KeePass file to use$ ./keepwn test_db.kdbx -e -p
Password to unlock test_db.kdbx:
Entry 'Some title' (user 'totally_not_in_any_hibp_database_leak@nohost.tld'): password not breached ✅
Entry '' (user 'admin@example.com'): password breached ⚠️
Entry 'Entry without email but username' (user 'MyNickname'): password breached ⚠️
List of unique emails for manual check:
admin@example.com
totally_not_in_any_hibp_database_leak@nohost.tldYes, because there is a rate-limiting from the API, enforcing a 1.5s delay between requests.
The test database test_db.kdbx is locked with the password password, and contains three entries:
- Root node, renamed as MyRoot
- Entry:
- No title
- Username: admin@example.com
- Password: password
- URL: http://example.com
- Entry:
- Title: Entry without email but username
- Username: MyNickname
- Password: MyPassword
- No URL
- Sub-group
- Entry:
- Title: Some title
- Username: totally_not_in_any_hibp_database_leak@nohost.tld
- Password: '=gT´L÷jsvª¥>ɧàí%#qúZ®[.з=í>Èß:që}f;Æ🔐;ǵá%cs{®º$øÙf7FÆ>ªñ%ÚÔÀªE-cÁUFê"P¬ÌP¾NêN¹q.C¢÷ÍA¥XæêÏ®ïâ
- URL: nohost.tld
- Entry:
- Entry:
This is a sensitive project, handling critical user data. Therefore, the choice of crates must be careful:
- keepass has a history of tracking and addressing security vulnerabilities
- checkpwn gives me the impression to be sensible and not to do more than advertised
- Warning: This is currently a binary crate rather than a library: the useful code has been copy-pasted in here
- rpassword is a widely-used crate for password input
- fast_chemail is the first result I found for checking email