A pass extension for auditing your password repository.
pass audit
is a password-store extension for auditing your password repository.
Passwords will be checked against the Python implementation of Dropbox'
zxcvbn
algorithm and Troy Hunt's Have I Been Pwned Service.
It supports safe breached password detection from haveibeenpwned.com
using a K-anonymity method. Using this method, you do not need to
(fully) trust the server that stores the breached password. You should read the
security consideration section for more information.
usage: pass audit [-h] [-V] [-n NAME] [-v | -q] [pass-names]
A pass extension for auditing your password repository. It supports safe
breached password detection from haveibeenpwned.com using K-anonymity method,
duplicated passwords, and password strength estimation using zxcvbn.
positional arguments:
pass-names Path(s) to audit in the password store, If empty audit the full store.
options:
-h, --help show this help message and exit
-V, --version Show the program version and exit.
-n NAME, --name NAME Check only passwords with this filename
-v, --verbose Set verbosity level, can be used more than once.
-q, --quiet Be quiet.
More information may be found in the pass-audit(1) man page.
See man pass-audit
for more information.
Audit a subfolder for pwned passwords
pass audit goodpasswords/
(*) None of the 7 passwords tested are breached.
. But it does not means they are strong.
pass audit pwnedpasswords/
w Password breached: password from Password/pwned/5 has been breached 3303003 time(s).
w Password breached: correct horse battery staple from Password/pwned/2 has been breached 2 time(s).
[x] Error: 7 passwords tested and 2 breached passwords found.
. You should update them with 'pass-update'.
K-anonymity
This program uses K-anonymity to retrieve the knowledge of breached passwords from HIBP server. K-anonymity applied to breached password check on an untrusted remote server is a recent cryptographic approach. It means only the first five characters of the SHA1 hash of your password is sent to the server. It offers decent anonymity; nevertheless, it is not an entirely secure solution.
More reading:
- https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
- https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
Mandatory Access Control (MAC)
AppArmor profiles for pass
and pass-audit
are available in
apparmor.d
. If your distribution support AppArmor, you can
clone the apparmor.d and run: sudo ./pick pass pass-import
to only install
these AppArmor security profiles.
Network
pass-audit only needs to establish network connection to connect to the haveibeenpwned.com server.
Password Update
You might also want to update the passwords imported using pass-update
.
Requirements
pass 1.7.0
or greater.- Python 3.6+
python3-setuptools
to build and install it.python3-requests
(apt install python3-requests
orpip3 install requests
)python3-zxcvbn
(pip3 install zxcvbn
)
ArchLinux
pass-audit
is available in the Arch User Repository.
yay -S pass-audit # or your preferred AUR install method
Debian/Ubuntu
pass-audit
is available under my own debian repository with the package name
pass-extension-audit
. Both the repository and the package are signed with
my GPG key: 06A26D531D56C42D66805049C5469996F0DF68EC
.
wget -qO - https://pkg.pujol.io/debian/gpgkey | sudo apt-key add -
echo 'deb [arch=amd64] https://pkg.pujol.io/debian/repo all main' | sudo tee /etc/apt/sources.list.d/pkg.pujol.io.list
sudo apt-get update
sudo apt-get install pass-extension-audit
FreeBSD
# install the binary package
pkg install py36-pass-audit
# or build it using the ports tree
make -C /usr/ports/security/py-pass-audit install clean
Using pip
pip install pass-audit
From git
git clone https://github.com/roddhjav/pass-audit/
cd pass-audit
python3 setup.py install
Stable version
wget https://github.com/roddhjav/pass-audit/releases/download/v1.2/pass-audit-1.2.tar.gz
tar xzf pass-audit-1.2.tar.gz
cd pass-audit-1.2
python3 setup.py install
Releases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC
.
You should check the key's fingerprint and verify the signature:
wget https://github.com/roddhjav/pass-audit/releases/download/v1.2/pass-audit-1.2.tar.gz.asc
gpg --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC
gpg --verify pass-audit-1.2.tar.gz.asc
Local install
Alternatively, from git or a stable version you can do a local install with:
cd pass-audit
python3 setup.py install --user
Remember to set PASSWORD_STORE_ENABLE_EXTENSIONS
to true
for the local
extension to be enabled.
Feedback, contributors, pull requests are all very welcome.
- Tobias Girstmair (zxcvbn)
Copyright (C) 2018-2022 Alexandre PUJOL and Contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.