Check all KeePass passwords against the Have I Been Pwned database locally
The following tutorial walks you through the steps of integrating password security checks in the KeePass password manager. The checks use the latest Have I Been Pwned database of leaked passwords and everything is run locally so that you don't have to worry about leaking password hashes over the Internet.
KeePass is an excellent desktop password manager that stores its databases locally by default. It is a feature-rich password manager that has been audited in 2016.
Have I Been Pwned is an online service to check whether one of your online accounts has been compromised in a data breach.
Some password managers, e.g. 1Password, come with functionality to check passwords against the database.
Setting things up
KeePass users can do the same, but locally. Here is what is needed for that:
- You need a copy of KeePass.
- Download the latest version of the KeePass plugin HIPB Offline Check. KeePass supports lots of plugins that may improve security and other functionality.
- Download the latest SHA-1 (ordered by hash) password database file from Have I Been Pwned.
Place the plugin file in the KeePass plugin folder. The plugin is open source and you may build it from scratch and vet it if you have the skills.
Installed copies of KeePass are found under C:\Program Files (x86)\KeePass by default.
Extract the password database file and place it somewhere on the system. Note that it has a size of 23 Gigabytes in plain text format right now, the download has a size of roughly 9 Gigabytes.
Start the KeePass password manager afterward and select Tools > HIBP Offline Check in the program's interface. Click on Browse and select the password database file that you extracted to the system.
You may change other parameters, e.g. the column name in KeePass or the text that is displayed for secure and insecure passwords.
Last but not least, select View > Configure Columns, and activate the Have I Been Pwned column to display the findings of the check in the interface.
Checking KeePass passwords against the Have I Been Pwned database
You have multiple options to check passwords against the database file.
- Double-click on the password field of any entry to check it.
- Select multiple items, right-click on the selection and pick Selected Entries > Have I Been Pwned database.
The plugin checks any updated password against the database automatically. The plugin checks the password's hash against the hash database to determine if it has been leaked.
A hit does not necessarily mean that the password is known to third-parties as it depends on the password's strength and the capabilities of the third-party to decrypt it.
What you may want to do with leaked passwords
It is still recommended that you change passwords that are found in the Have I Been Pwned database.Â Just visit the site or service in question, and start the change password process on the site.
You may use KeePass to generate strong secure passwords; these are checked automatically against the Have I Been Pwned database again so that you get verification on that end as well.
The main benefit of the method is that all checks are done locally. The downside that you need to download new releases regularly to check against the latest version of the leaked password database file.
Now you: which password manager do you use?
The fact that the HIBP website also gives the possibility to check passwords by typing them online seems completely crazy from a security point of view. Giving them email addresses, maybe, maybe not… but passwords, seriously ?
Even more crazy is that their site seems to use the Cloudflare man-in-the-middle traffic snooper, so Cloudflare will see all the passwords you check online there.
I have read Troy’s explanation of the passwords. It is very long and technical but it does make sense to me: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
“As much as I don’t want to encourage people to plug their real password(s) into random third-party sites, I can guarantee that a sizable number of people got a positive hit and then changed their security hygiene as a result. One of the biggest things that’s resonated with me in running HIBP is how much impact it’s had on changing user behaviour. Seeing either your email address or your password pwned has a way of making people reconsider some of their security decisions.”
“If you wanted to check whether the password “[email protected]” exists in the data set….The SHA-1 hash of that string is “21BD12DC183F740EE76F27B78EB39C8AD972A757” so what we’re going to do is take just the first 5 characters, in this case that means “21BD1”. That gets sent to the Pwned Passwords API and it responds with 475 hash suffixes (that is everything after “21BD1”) and a count of how many times the original password has been seen.
So if I understand well there’s some security in having only a part of a hash of the typed password sent to their server. Assuming you trust the HIBP site, the Cloudflare MitM won’t be able to read the passwords in transit then.
This. You must be out of your mind or just a dump fuck, so to say if you give them your passwords, even for check. Just go and change any password you deem in need to be changed (aka the not throwaway account passwords) and you are fine.
Now google chrome is doing the same thing….
Is it possible with Bitwarden?
Bitwarden lets you check individual passwords against Have I Been Pwned (just like 1Password), but not in batches and not offline (that I’m aware of).
Where do you get the Keepass Lib from, to compile the offline check tool yourself?
If you are using KeePass, you should already be changing your important passwords regularly. problem solved. no need for this fishy service.
I use a short, easy to remember password with a few minute permutations for a lot of sites that I don’t feel are critical. They’re all in KeePass because after 6 months of not frequenting a site, it’s hard to remember if I used a “!” or a “@” in the special character place. It’s nice to know that, along with my 40-character, whole-keyboard, financial passwords, my fewer-character, basic 1337 approach hasn’t compromised my Netflix and Pandora.
Some comments from here made me to think that people didn’t understand what the article is about. It is not about entering your password on a site you don’t trust, it is about downloading a database of hashed passwords and use it locally to check your passwords.
Well, quite a lot of people only read headlines. But the funny part is that this headline specifically said how to check it locally on your computer yet some people are still missing that.
Nice article, thanks! I’ve been using KP on desktop and mobile for a while now.
Nice article? He’s telling people to put their passwords online and throwing them out into the wild and definitely will need to be changed… Big security risk.
Stick to writing news articles and information pieces, you’re not an expert to be giving this kind of advice to check passwords online.
The password checks happen locally.
It’s sad when people are not reading the actual article. It clearly said how to check if your passwords are pawned locally not only in the title but also in the article itself. Yet they are still missing that very important point.
Anyways, thank you for the step-by-step on how you can download the password dump and use KeePass locally to compare your passwords to the locally downloaded password dump.
Wow, I would retract that if I were you, as it betrays a lack of reading comprehension.
Very handy indeed. With your help I tested passwords I used long before getting KeePass on my side and confirmed compromised passwords were just that. Also discovered my quickbooks pw is focked. A true testament to the integrity of the folks at intuit to which I suspected as much and never allowed qb online access after registering.
Not sure what early posters are going off about but this is good stuff.
I’ve disabled Plugins via Options/Policy in KeePass but I will make a temporary exception for a one-time check. Thanks for the nice security tip and well-written article.
Great post Martin. Very useful info.
I thought I might give this a try as I am KeePass user but two stumbling blocks forestalled my enthusiasm.
1.) It appears that this is a Windows only plugin – no Linux. There is mention of Visual Studio and .dll files.
2.) I am familiar with Troy Hunt and trust his work. I have no idea who the developer of this plug-in is. It is ‘probably’ fine – but the reason I use KeePass is I don’t like to put all my eggs in the ‘probably’ basket.
The problem with the site is that it asks for your email. Then if any site at which that email has been used has ever been breached, it is assumed that the password used at that site is compromised. But if you’re following best practice and not re-using passwords, then only the password used at that site has been compromised.
I frequently reuse passwords at sites that aren’t important to me. I don’t use such passwords at sites that are important, such as access to my bank account or email. In fact, my bank account access doesn’t even use my my main email address for access. They do have it for emailing me notifications about my monthly statement being available but that has nothing to do with the login to their online site.
So the Have I Been Pwned site revealed to me that my (spam collector) email that I use at most sites has been compromised at 3 sites, and my main email has been compromised at 3 sites. But both emails have multiple different passwords and none of them are used for my important sites. One of the compromised sites is MySpace, which shows you how old that access was.
So the Have I Been Pwned site does nothing for me but assure me that I have NOT been pwned. Which is good to know, of course.
How is that a problem though? The HIBP site’s alert function lets you know if your email is part of some dump of compromised login data for some site – that is all. It is then up to you to figure out what that means in your case and what you need to do. If the account isn’t important and you never reused the password elsewhere then do no nothing. But still good to know.
You must have been reading my mind.
This works only with the paid version, right ?!
There is no paid version.
Sorry, I should have said “KeePass 2.x”.
Under KeePass 1.37, i don’t see the plugin under Tools after installing it in the folder “plugins” !
Very good information, I like the idea of an offline check and that the plugins code is on github. I received an email saying my address was in the breach but have no idea which of my 100s of passwords it could have been. Too many to put in to that site even if I wanted to. I use 2FA on my important accounts so I’m not real worried but maybe I’ll give this a try.
Hm, why do I only get stars in the “Have I been pwned” column?
Found this as well to check without download the data file https://github.com/fopina/kdbxpasswordpwned
After performing the check and removing the plugin, I’ve noticed that the “Have I been pwned?” Custom Field is still in-place. Also, *all* entries still contain its value (secure/insecure).
Any ideas on how to clean up the database and remove all info related to this plugin?
What is the best HIBP plugin for Kee Pass ? I have found three :
Maybe an idea for a new article ?
I have used Andrew Schofield’s, and I’m not impressed for various reasons. The usability is not good. The menus are confusing.
It would be nice to have a choice between local and online check.