Check all KeePass passwords against the Have I Been Pwned database locally

Martin Brinkmann
Jan 18, 2019
Security
|
31

The following tutorial walks you through the steps of integrating password security checks in the KeePass password manager. The checks use the latest Have I Been Pwned database of leaked passwords and everything is run locally so that you don't have to worry about leaking password hashes over the Internet.

KeePass is an excellent desktop password manager that stores its databases locally by default. It is a feature-rich password manager that has been audited in 2016.

Have I Been Pwned is an online service to check whether one of your online accounts has been compromised in a data breach.

Some password managers, e.g. 1Password, come with functionality to check passwords against the database.

Setting things up

keepass password security check

KeePass users can do the same, but locally. Here is what is needed for that:

  1. You need a copy of KeePass.
  2. Download the latest version of the KeePass plugin HIPB Offline Check. KeePass supports lots of plugins that may improve security and other functionality.
  3. Download the latest SHA-1 (ordered by hash) password database file from Have I Been Pwned.

Place the plugin file in the KeePass plugin folder. The plugin is open source and you may build it from scratch and vet it if you have the skills.

Installed copies of KeePass are found under C:\Program Files (x86)\KeePass by default.

Extract the password database file and place it somewhere on the system. Note that it has a size of 23 Gigabytes in plain text format right now, the download has a size of roughly 9 Gigabytes.

Start the KeePass password manager afterward and select Tools > HIBP Offline Check in the program's interface. Click on Browse and select the password database file that you extracted to the system.

You may change other parameters, e.g. the column name in KeePass or the text that is displayed for secure and insecure passwords.

Last but not least, select View > Configure Columns, and activate the Have I Been Pwned column to display the findings of the check in the interface.

Checking KeePass passwords against the Have I Been Pwned database

keepass password check

You have multiple options to check passwords against the database file.

  1. Double-click on the password field of any entry to check it.
  2. Select multiple items, right-click on the selection and pick Selected Entries > Have I Been Pwned database.

The plugin checks any updated password against the database automatically. The plugin checks the password's hash against the hash database to determine if it has been leaked.

A hit does not necessarily mean that the password is known to third-parties as it depends on the password's strength and the capabilities of the third-party to decrypt it.

What you may want to do with leaked passwords

It is still recommended that you change passwords that are found in the Have I Been Pwned database.  Just visit the site or service in question, and start the change password process on the site.

You may use KeePass to generate strong secure passwords; these are checked automatically against the Have I Been Pwned database again so that you get verification on that end as well.

Closing Words

The main benefit of the method is that all checks are done locally. The downside that you need to download new releases regularly to check against the latest version of the leaked password database file.

Now you: which password manager do you use?

Summary
Check all KeePass passwords against the Have I Been Pwned database locally
Article Name
Check all KeePass passwords against the Have I Been Pwned database locally
Description
Find out how to check all KeePass password manager passwords against the Have I Been Pwned database of leaked passwords locally.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Clairvaux said on August 23, 2019 at 10:25 am
    Reply

    What is the best HIBP plugin for Kee Pass ? I have found three :

    https://github.com/mihaifm/HIBPOfflineCheck
    https://github.com/JanisEst/KeePassHIBP/
    https://github.com/andrew-schofield/keepass2-haveibeenpwned

    Maybe an idea for a new article ?

    I have used Andrew Schofield’s, and I’m not impressed for various reasons. The usability is not good. The menus are confusing.

    It would be nice to have a choice between local and online check.

  2. Alex said on January 24, 2019 at 7:26 pm
    Reply

    After performing the check and removing the plugin, I’ve noticed that the “Have I been pwned?” Custom Field is still in-place. Also, *all* entries still contain its value (secure/insecure).

    Any ideas on how to clean up the database and remove all info related to this plugin?

  3. Tom Bratt said on January 22, 2019 at 7:00 pm
    Reply

    Found this as well to check without download the data file https://github.com/fopina/kdbxpasswordpwned

  4. sephistopheles said on January 20, 2019 at 3:09 pm
    Reply

    Hm, why do I only get stars in the “Have I been pwned” column?

  5. Ryan said on January 19, 2019 at 1:48 am
    Reply

    Very good information, I like the idea of an offline check and that the plugins code is on github. I received an email saying my address was in the breach but have no idea which of my 100s of passwords it could have been. Too many to put in to that site even if I wanted to. I use 2FA on my important accounts so I’m not real worried but maybe I’ll give this a try.

  6. Belga said on January 18, 2019 at 10:55 pm
    Reply

    This works only with the paid version, right ?!

    1. Martin Brinkmann said on January 19, 2019 at 8:01 am
      Reply

      There is no paid version.

      1. Belga said on January 19, 2019 at 9:08 am
        Reply

        Sorry, I should have said “KeePass 2.x”.
        Under KeePass 1.37, i don’t see the plugin under Tools after installing it in the folder “plugins” !

  7. Clairvaux said on January 18, 2019 at 8:12 pm
    Reply

    You must have been reading my mind.

  8. Richard Steven Hack said on January 18, 2019 at 6:36 pm
    Reply

    The problem with the site is that it asks for your email. Then if any site at which that email has been used has ever been breached, it is assumed that the password used at that site is compromised. But if you’re following best practice and not re-using passwords, then only the password used at that site has been compromised.

    I frequently reuse passwords at sites that aren’t important to me. I don’t use such passwords at sites that are important, such as access to my bank account or email. In fact, my bank account access doesn’t even use my my main email address for access. They do have it for emailing me notifications about my monthly statement being available but that has nothing to do with the login to their online site.

    So the Have I Been Pwned site revealed to me that my (spam collector) email that I use at most sites has been compromised at 3 sites, and my main email has been compromised at 3 sites. But both emails have multiple different passwords and none of them are used for my important sites. One of the compromised sites is MySpace, which shows you how old that access was.

    So the Have I Been Pwned site does nothing for me but assure me that I have NOT been pwned. Which is good to know, of course.

    1. bobbbbb said on January 24, 2019 at 10:32 am
      Reply

      How is that a problem though? The HIBP site’s alert function lets you know if your email is part of some dump of compromised login data for some site – that is all. It is then up to you to figure out what that means in your case and what you need to do. If the account isn’t important and you never reused the password elsewhere then do no nothing. But still good to know.

  9. Vrai said on January 18, 2019 at 5:43 pm
    Reply

    Great post Martin. Very useful info.

    I thought I might give this a try as I am KeePass user but two stumbling blocks forestalled my enthusiasm.
    1.) It appears that this is a Windows only plugin – no Linux. There is mention of Visual Studio and .dll files.
    2.) I am familiar with Troy Hunt and trust his work. I have no idea who the developer of this plug-in is. It is ‘probably’ fine – but the reason I use KeePass is I don’t like to put all my eggs in the ‘probably’ basket.

  10. Alex said on January 18, 2019 at 4:51 pm
    Reply

    I’ve disabled Plugins via Options/Policy in KeePass but I will make a temporary exception for a one-time check. Thanks for the nice security tip and well-written article.

  11. spook said on January 18, 2019 at 4:48 pm
    Reply

    Very handy indeed. With your help I tested passwords I used long before getting KeePass on my side and confirmed compromised passwords were just that. Also discovered my quickbooks pw is focked. A true testament to the integrity of the folks at intuit to which I suspected as much and never allowed qb online access after registering.

    Not sure what early posters are going off about but this is good stuff.

  12. 489 said on January 18, 2019 at 2:45 pm
    Reply

    Nice article, thanks! I’ve been using KP on desktop and mobile for a while now.

    1. Dylan said on January 18, 2019 at 4:11 pm
      Reply

      Nice article? He’s telling people to put their passwords online and throwing them out into the wild and definitely will need to be changed… Big security risk.

      To Ghacks.net

      Stick to writing news articles and information pieces, you’re not an expert to be giving this kind of advice to check passwords online.

      1. Anonymous said on January 19, 2019 at 1:54 am
        Reply

        Wow, I would retract that if I were you, as it betrays a lack of reading comprehension.

      2. Martin Brinkmann said on January 18, 2019 at 6:30 pm
        Reply

        The password checks happen locally.

      3. Silver said on January 19, 2019 at 2:33 am
        Reply

        It’s sad when people are not reading the actual article. It clearly said how to check if your passwords are pawned locally not only in the title but also in the article itself. Yet they are still missing that very important point.

        Anyways, thank you for the step-by-step on how you can download the password dump and use KeePass locally to compare your passwords to the locally downloaded password dump.

  13. Nebulus said on January 18, 2019 at 2:30 pm
    Reply

    Some comments from here made me to think that people didn’t understand what the article is about. It is not about entering your password on a site you don’t trust, it is about downloading a database of hashed passwords and use it locally to check your passwords.

    1. Silver said on January 19, 2019 at 2:30 am
      Reply

      Well, quite a lot of people only read headlines. But the funny part is that this headline specifically said how to check it locally on your computer yet some people are still missing that.

  14. asd said on January 18, 2019 at 1:40 pm
    Reply

    If you are using KeePass, you should already be changing your important passwords regularly. problem solved. no need for this fishy service.

    1. PhoenixofMT said on January 19, 2019 at 7:37 am
      Reply

      I use a short, easy to remember password with a few minute permutations for a lot of sites that I don’t feel are critical. They’re all in KeePass because after 6 months of not frequenting a site, it’s hard to remember if I used a “!” or a “@” in the special character place. It’s nice to know that, along with my 40-character, whole-keyboard, financial passwords, my fewer-character, basic 1337 approach hasn’t compromised my Netflix and Pandora.

  15. Ivan said on January 18, 2019 at 11:21 am
    Reply

    Where do you get the Keepass Lib from, to compile the offline check tool yourself?

  16. Lan said on January 18, 2019 at 10:44 am
    Reply

    Is it possible with Bitwarden?

    1. foolishgrunt said on January 18, 2019 at 5:33 pm
      Reply

      Bitwarden lets you check individual passwords against Have I Been Pwned (just like 1Password), but not in batches and not offline (that I’m aware of).

  17. Anonymous said on January 18, 2019 at 10:42 am
    Reply

    The fact that the HIBP website also gives the possibility to check passwords by typing them online seems completely crazy from a security point of view. Giving them email addresses, maybe, maybe not… but passwords, seriously ?
    Even more crazy is that their site seems to use the Cloudflare man-in-the-middle traffic snooper, so Cloudflare will see all the passwords you check online there.

    1. Mr Stank said on January 18, 2019 at 1:28 pm
      Reply

      This. You must be out of your mind or just a dump fuck, so to say if you give them your passwords, even for check. Just go and change any password you deem in need to be changed (aka the not throwaway account passwords) and you are fine.

      1. chump2010 said on February 5, 2019 at 6:45 pm
        Reply
    2. chump2010 said on January 18, 2019 at 12:05 pm
      Reply

      I have read Troy’s explanation of the passwords. It is very long and technical but it does make sense to me: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

      “As much as I don’t want to encourage people to plug their real password(s) into random third-party sites, I can guarantee that a sizable number of people got a positive hit and then changed their security hygiene as a result. One of the biggest things that’s resonated with me in running HIBP is how much impact it’s had on changing user behaviour. Seeing either your email address or your password pwned has a way of making people reconsider some of their security decisions.”

      “If you wanted to check whether the password “P@ssw0rd” exists in the data set….The SHA-1 hash of that string is “21BD12DC183F740EE76F27B78EB39C8AD972A757” so what we’re going to do is take just the first 5 characters, in this case that means “21BD1”. That gets sent to the Pwned Passwords API and it responds with 475 hash suffixes (that is everything after “21BD1”) and a count of how many times the original password has been seen.

      1. Anonymous said on January 19, 2019 at 12:49 pm
        Reply

        @chump2010

        So if I understand well there’s some security in having only a part of a hash of the typed password sent to their server. Assuming you trust the HIBP site, the Cloudflare MitM won’t be able to read the passwords in transit then.

        But if you don’t trust the HIBP site, you can’t trust either that the client-side javascript code that they send to your browser does what they claim it does unless you check it yourself every time you connect to their page (or unless you check you network traffic). It could send the whole password. But that would be risky for them because they could get caught doing it.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.