seanbreckenridge / keepassxc-pwned Goto Github PK

View Code? Open in Web Editor NEW

34.0 2.0 4.0 253 KB

Check your keepassxc database against previously breached haveibeenpwned passwords

Home Page: https://pypi.org/project/keepassxc-pwned/

License: MIT License

Python 97.31% Makefile 2.43% Shell 0.27%

keepassxc haveibeenpwned keepass password-strength password-hash password

keepassxc-pwned's Introduction

KeepassXC-Pwned

Project Status

The functionality to check passwords again the HIBP database has been built into keepassxc since version 2.6.0 (Database > Database Reports > HIBP). This project should still work on keepassxc versions <2.6.0, though fails due to what I assume is a change in the specification for the keepassxc-cli export post version 2.6.0. I don't plan to update this to work with keepassxc 2.6.0 seeing as the functionality this offered is now built-in. This can still be used as a utility module to check passwords against the HIBP database:

In python code:

from keepassxc_pwned import check_password
check_password("password")

Note: check_password doesn't attempt to do any rate limiting.

or, by entering the password manually:

$ python3 -m keepassxc_pwned
Password to check:
Found password 1054 times!

This checks a KeePassXC database against previously cracked haveibeenpwned passwords.

Requirements

keepassxc-cli binary (typically installed with KeePassXC)
python 3.6 or above

Install

pip3 install keepassxc-pwned

Run

Run: keepassxc_pwned ~/database.kdbx

Usage: keepassxc_pwned [OPTIONS] DATABASE

  Check a keepassxc database against previously cracked haveibeenpwned
  passwords

Options:
  -p, --plaintext       Print breached passwords in plaintext; defaults to
                        sha1 hashes.

  -k, --key-file PATH   Key file for the database
  -v, --verbose         Print debug messages
  -q, --quiet           Don't print status messages, just the summary
  --keepassxc-cli PATH  Specify a different location for the keepassxc-cli
                        binary

  --help                Show this message and exit.

Sample Run:

$ keepassxc_pwned ~/Documents/updated_database.kdbx
Insert password for /home/sean/Documents/updated_database.kdbx:
Checking password for Amazon...
Checking password for Github...
Checking password for Netflix...
Checking password for Steam...
Checking password for letterboxd...
Checking password for linkedin...
Checking password for minecraft...
Found password for 'minecraft' 3 times in the dataset!
Checking password for soundcloud...
Checking password for stackoverflow...
Checking password for wikipedia...
Found 1 previously breached password:
minecraft:5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8:3

Privacy concerns

This tool only transmits the first 5 characters of the SHA-1 hash of your passwords. You can read more about that here.

Troubleshooting

If keepassxc-cli is named something else on your installation of KeepassXC, specify the full path by providing the --keepassxc-cli flag, like: keepassxc_pwned --keepassxc-cli "$(which keepassxc.cli)" ~/Documents/updated_database.kdbx

If you get the following error while using keepassxc-cli:

dyld: Library not loaded: /usr/local/opt/quazip/lib/libquazip.1.dylib
  Referenced from: /usr/local/bin/keepassxc-cli
  Reason: image not found
Abort trap: 6

... installing quazip should fix that:

brew install quazip (Mac)
sudo apt install libquazip-dev (Linux)

If keepassxc-cli fails with an error message like "Invalid Command extract.", the command was changed in KeePassXC 2.5.0, and is now called export. Upgrade KeePassXC to the latest version, and try again.

Tests

Clone this repository
Install dev dependencies: pip3 install -r requirements-dev.txt
mypy keepassxc_pwned
pytest

keepassxc-pwned's People

Contributors

Stargazers

Watchers

Forkers

dubitosystems opensource-assist sturmianseq hanok2

keepassxc-pwned's Issues

Restructure imports to allow use as library

__init__.py should include check_password (safe_api_get)

Not snap-compatible

Hi!
At my Linux Mint 19.1 Maschine with keepassxc installed as a snap, it didn't work without manual patching ... replacing every keepassxc-cli to keepassxc.cli in keepass_wrapper.py did the job for me.

Add an option to pass a database key to keepassxc-cli

While I was trying to open my kdbx database, the following error occurred:

Error while parsing the database:
Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)

This was actually caused by the fact the database was protected with both a password and a key, and passing the key is not supported in keepassxc-pwned.

Consider upgrading to keepassxc 2.6.0

Keepassxc version 2.6.0 came with lots of breaking changes. See https://keepassxc.org/blog/2020-07-07-2.6.0-released/

It also included HIBP integration, not sure what that looks like yet, waiting for the new version to be pushed here

Either:

Archive this project and list the supported version as <2.6.0, since the HIBP integration replaces this. keepassxreboot/keepassxc#4438
or, if the HIBP is vastly different from what this does, update this to work with 2.6.0

Use the click library in the CLI

The Python click library is a very nice tool for a simplified creation of command-line interfaces.
Please look at the examples on their GitHub repo and you see how beautiful it is.

Rebrand the app

Choose a more generic name instead of 'keepassxc-pwned' so that it would be more relevant to support other password database types.
Rename the repository to be in consistence with the new name.
Design an icon for the app.

My inspirations for a new name are:

openpasscheck
PassFLASK
passgone
pass::shock

Dont used namedtuples

This isnt a good use case for them, they cause more weird code than they're useful.

uncaught request error, api.pwnedpassword.com not being resolved

requests may report errors, see discussion in #5

But at first it had some errors about api.pwnedpasswords.com not being resolved.

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/urllib3/connection.py", line 159, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.9/site-packages/urllib3/util/connection.py", line 57, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/local/lib/python3.9/socket.py", line 953, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    httplib_response = self._make_request(conn, method, url,
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 344, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.9/site-packages/urllib3/connection.py", line 316, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.9/site-packages/urllib3/connection.py", line 168, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7fc2dc3ae460>: Failed to establish a new connection: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 640, in urlopen
    retries = retries.increment(method, url, error=e, _pool=self,
  File "/usr/local/lib/python3.9/site-packages/urllib3/util/retry.py", line 399, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.pwnedpasswords.com', port=443): Max retries exceeded with url: /range/385D0 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc2dc3ae460>: Failed to establish a new connection: [Errno -2] Name or service not known'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/keepassxc_pwned", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/keepassxc_pwned/keepassxc_pwned.py", line 197, in main
    sha1, count = lookup_pwned(c.password, logger)
  File "/usr/local/lib/python3.9/site-packages/keepassxc_pwned/password.py", line 40, in lookup_pwned
    res = request_password_hash(head, logger)
  File "/usr/local/lib/python3.9/site-packages/keepassxc_pwned/password.py", line 20, in request_password_hash
    res = requests.get(
  File "/usr/local/lib/python3.9/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api.pwnedpasswords.com', port=443): Max retries exceeded with url: /range/385D0 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc2dc3ae460>: Failed to establish a new connection: [Errno -2] Name or service not known'))

Look into using httpx/fixing this issue.

Travis build failing

pip isn't found on the 3.8-dev branches.

Don't believe this is in my control, see:

https://travis-ci.community/t/python-development-versions-no-longer-include-pip-due-to-virtualenv-20-x/7180/7

pypa/virtualenv#1576 (comment)

Should fix itself when the new build is uploaded to storage.googleapis.com

Subcommand used to extract passwords was renamed

In version 2.5.0 of KeePassXC, on the keepassxc-cli interface, extract was renamed to export. See keepassxreboot/keepassxc#3277

Try to maintain backwards compatibility by comparing the version number, else default to newer, export.