Have I Been Pwned hosts a database of passwords that have been compromised by website breaches. With this data, it’s possible to make sure that we’re not continuing to use compromised passwords, putting ourselves at unnecessary risk. Chrome, for example, does this automatically presumably using this or a similar database. KeePass has a plugin for this. Unfortunately, no such plugin is available for MacPass. This post documents how I managed to check my passwords without resorting to KeePass.
Prepare the HIBP database
Download the Have I Been Pwned (HIBP) password database. I picked version 7 of the SHA-1 file ordered by hash (dba43bd82997d5cef156219cb0d295e1ab948727).
Clone the pwnedpass project.
pwnedpassdirectory, convert the password database to a searchable format:
7z e -so pwned-passwords-sha1-ordered-by-hash-v7.7z pwned-passwords-sha1-ordered-by-hash-v7.txt | go run cmd/pwngen/main.go pwned-passwords.bin
pwndto enable a local HTTP server mimicking the HIBP api:
go run cmd/pwnd/read.go
Export passwords from MacPass in xml format to a file named
Use xmlstarlet to trim out historical passwords which no longer matter:
xmlstarlet ed -d '//Entry/History' all.xml > current.xml
- Use xmlstarlet to extract out the passwords into a flat text file:
xmlstarlet sel -T -t -m '//Entry[String[Key/text() = "Password"]/Value != ""]' -v 'String[Key/text() = "Password"]/Value' -n current.xml > passwords.txt
Clone the haveibeenpwned project.
havei.shto point to our local server:
sed -i '' 's/https:\/\/api.pwnedpasswords.com/http:\/\/localhost:8889/' havei.sh
- Check all passwords against the HIBP database:
./havei.sh --file=passwords.txt -d=0 --plain