security

Checking my Passwords against the 'Have I Been Pwned' database with KeePass

In light of the recent "Collection #1" Data Breach containing a whopping 2,692,818,238 rows of data that was recently uploaded to the 'Have I been Pwned' site by Troy Hunt, I wanted to update my Password Manager of choice 'KeePass' to check all of my existing and new passwords against passwords found in this breach and all others that have been loaded onto the HIBP website.

If you haven't heard of this site, "Have I been Pwned" (https://haveibeenpwned.com/) been sure to check it out here, you can enter your email address(es) and check if they have been involved in one of the many data breaches that Troy has added to the site. You can also register to receive an email notification if any breaches occur in the future that your email is found in.

Some household names have been comprised over the years including nearly half a million usernames and passwords from Yahoo and others you may recognise include Sony, Vodafone,  Domino's, and Dropbox (with over 68 million email addresses and salted passwords in this particular breach)

It is recommended to use a password manager to keep all of your passwords safe and preferably you should let the password manager auto-generate a strong password for each website you use and never re-use passwords across sites.

Popular password managers include 1Password and LastPass however I have opted free and Open Souce option KeePass which takes slightly more configuration to get fully up and running if you want to use it accross multiple devices compared to the hosted versions.

You can find more information of KeePass including installation and configuation steps form their site here

If you have KeePass up and running, you can download the awesome 'keepass2-haveibeenpwned' plugin from the following GitHub page https://github.com/andrew-schofield/keepass2-haveibeenpwned. Follow the instructions on the read me page to download the PLGX file.

To install this PLGX open KeePass then select 'Plugins' under the Tools menu then 'Open Folder' and copy the PGLX file into the folder that was opened.

1

2

3

Once the file has been copied over, close and open KeePass again, this will install the plugin. If all has worked, under tools you should now have a new menu option for 'Have I Been Pwned'

4

The first time you choose any of these options it will analyse all of your entries in KeePass so may take a minute or so depending on the number of entries you have.

I have selected to analyse passwords

5

Clicking OK will run through each entry and check the password against the passwords on HIBP.

Note: This checker sends a small portion of the password hash to HIBP and then checks the full hash locally against the list of hashes returned by HIBP. This service does not send your password, nor enough of the hash to expose your password to HIBP.You can read more about how HIBP supports this here https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

6-1

Once it completed, you can see it found I have no comprimised passwords (phew!)

7

To see how it would work with a compromised password, I'm going to add a new KeePass entry with a common password 'hunter2'

8

When I run the analysis again, its much faster as it can skip those aleady checked, however this time you will see it now warns me that its found a compromised password.

9