search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.76k stars 1.44k forks source link

check database against troy hunt's pwned passwords database. #1660

Closed zee0 closed 6 years ago

zee0 commented 6 years ago

Enhancement Request

check passwords against the pwned passwords database via the API. more info here: https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

Current Behavior

if you're currently using a password that generates a hash that's in the pwned passwords database it's utterly useless for authentication.

Possible Solution

getting an alert that hashes of passwords in the keepass database are in the pwned passwords database would alert users to change them immediately.

Implementation

Context

while generating long passwords via the generator probably assures their uniqueness, there is still a small possibility that they are in the pwned passwords database. additionally if users do not use the password generator, but use keepass simply as a grey matter backup [and consequently have less random passwords] it would be advantageous for them to know if a password was pwned.

phoerious commented 6 years ago

Checking that database is not of much use if you are using a password manager. See our blog post about it: https://keepassxc.org/blog/2018-02-24-pwned-database/

zee0 commented 6 years ago

@phoerious: with all due respect to your well written blog post, your point number 2 is exactly why we need this:

  1. You are using services that got compromised and didn’t hash their passwords properly (stop using them!)

this assumes that you're informed when a password gets compromised. we all know that responsible and timely disclosure is anything but the norm.

i'm signed up with haveibeenpwned for half a dozen domains that i administer. i can tell you that frequently an email from troy's system is the first notice i get that an account has been compromised.

phoerious commented 6 years ago

You should read the last part, too. There is really no need to check the password if instead you could check the username. In fact, checking the username is far more likely to give you a positive result with less risk involved.