Last active
July 23, 2024 13:42
-
-
Save martinhansdk/de8b27934adf9580aebf2e4746692e39 to your computer and use it in GitHub Desktop.
Check keypass database against pwned passwords.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Download the list of password hashes from https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ unpack it and check it against your keepass file with this script. | |
requires python3, libkeypass from https://github.com/libkeepass/libkeepass and | |
``` | |
apt-get install python3-crypto python3-lxml | |
``` | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from __future__ import print_function | |
import argparse | |
import libkeepass | |
import getpass | |
import hashlib | |
import sys | |
cmdline = argparse.ArgumentParser(description='Check keepass database against the pwned list of leaked password hashes') | |
cmdline.add_argument('keypassdb', type=str, help='keypass file') | |
cmdline.add_argument('--password-file', dest='password_file', default='pwned-passwords-2.0.txt', help='The file containing the hashes. default: %(default)s') | |
cmdline.add_argument('--print-password', dest='print_password', default=False, action='store_true', help='Print the password') | |
args = cmdline.parse_args() | |
hashes=dict() | |
def add_entry(title, username, password): | |
hash=hashlib.sha1(password.encode('utf-8')).hexdigest().upper() | |
if not hash in hashes: | |
hashes[hash]=[] | |
if args.print_password: | |
entry = '%s - username %s password \'%s\'' % (title, username, password) | |
else: | |
entry = '%s - username %s' % (title, username) | |
hashes[hash].append(entry) | |
try: | |
masterpw=getpass.getpass() | |
add_entry('keypass master password', '', masterpw) | |
with libkeepass.open(args.keypassdb, password=masterpw) as kdb: | |
for entry in kdb.obj_root.findall('.//Group/Entry'): | |
kv = {string.find('./Key').text : string.find('./Value').text for string in entry.findall('./String')} | |
if kv['Password'] is not None: | |
add_entry(kv['Title'], kv['UserName'], kv['Password']) | |
except Exception as e: | |
print('Could not query KeePass Database %s:\n%s' % (args.keypassdb, str(e)), file=sys.stderr) | |
sys.exit(2) | |
with open(args.password_file) as passwordfile: | |
for line in passwordfile: | |
hash, count = line.strip().split(':', 1) | |
if hash in hashes: | |
for t in hashes[hash]: | |
print("The password for '%s' is in the list with a count of %s" % (t, count)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment