(How to) Check all KeePass passwords against the Have I Been Pwned database locally

[Karlston]

The following tutorial walks you through the steps of integrating password security checks in the KeePass password manager. The checks use the latest Have I Been Pwned database of leaked passwords and everything is run locally so that you don't have to worry about leaking password hashes over the Internet.

 

KeePass is an excellent desktop password manager that stores its databases locally by default. It is a feature-rich password manager that has been audited in 2016.

 

Have I Been Pwned is an online service to check whether one of your online accounts has been compromised in a data breach.

 

Some password managers, e.g. 1Password, come with functionality to check passwords against the database.

Setting things up

 

KeePass users can do the same, but locally. Here is what is needed for that:

1. You need a copy of KeePass.
2. Download the latest version of the KeePass plugin HIPB Offline Check. KeePass supports lots of plugins that may improve security and other functionality.
3. Download the latest SHA-1 (ordered by hash) password database file from Have I Been Pwned.

 

Place the plugin file in the KeePass plugin folder. The plugin is open source and you may build it from scratch and vet it if you have the skills.

 

Installed copies of KeePass are found under C:\Program Files (x86)\KeePass by default.

 

Extract the password database file and place it somewhere on the system. Note that it has a size of 23 Gigabytes in plain text format right now, the download has a size of roughly 9 Gigabytes.

 

Start the KeePass password manager afterward and select Tools > HIBP Offline Check in the program's interface. Click on Browse and select the password database file that you extracted to the system.

 

You may change other parameters, e.g. the column name in KeePass or the text that is displayed for secure and insecure passwords.

 

Last but not least, select View > Configure Columns, and activate the Have I Been Pwned column to display the findings of the check in the interface.

Checking KeePass passwords against the Have I Been Pwned database

 

You have multiple options to check passwords against the database file.

1. Double-click on the password field of any entry to check it.
2. Select multiple items, right-click on the selection and pick Selected Entries > Have I Been Pwned database.

 

The plugin checks any updated password against the database automatically. The plugin checks the password's hash against the hash database to determine if it has been leaked.

 

A hit does not necessarily mean that the password is known to third-parties as it depends on the password's strength and the capabilities of the third-party to decrypt it.

What you may want to do with leaked passwords

It is still recommended that you change passwords that are found in the Have I Been Pwned database.  Just visit the site or service in question, and start the change password process on the site.

 

You may use KeePass to generate strong secure passwords; these are checked automatically against the Have I Been Pwned database again so that you get verification on that end as well.

Closing Words

The main benefit of the method is that all checks are done locally. The downside that you need to download new releases regularly to check against the latest version of the leaked password database file.

 

Source: Check all KeePass passwords against the Have I Been Pwned database locally (gHacks - Martin Brinkmann)

[Webkikr]

I've done all the above and I'm not getting any results. Doesn't seem to matter if it's the portable version or installed, it doesn't give me anything.

 

[Webkikr]

9 hours ago, Webkikr said:

I've done all the above and I'm not getting any results. Doesn't seem to matter if it's the portable version or installed, it doesn't give me anything.

 

 

Figured it out. You have to select all the password entries you want checked after running the plugin. Highlight them all, then right click and choose the pwned plugin. 

[Mutton]

It's good to have an offline check.

 

Only one out of my hundred or so passwords got flagged... that was one of my wife's which wasn't randomly generated and was just a couple of words (typical!)

 

That PW has now been changed, and I'm wondering what ransom to demand for the new one...