The following tutorial walks you through the steps of integrating password security checks in the KeePass password manager. The checks use the latest Have I Been Pwned database of leaked passwords and everything is run locally so that you don't have to worry about leaking password hashes over the Internet.
Have I Been Pwned is an online service to check whether one of your online accounts has been compromised in a data breach.
Some password managers, e.g. 1Password, come with functionality to check passwords against the database.
KeePass users can do the same, but locally. Here is what is needed for that:
Place the plugin file in the KeePass plugin folder. The plugin is open source and you may build it from scratch and vet it if you have the skills.
Installed copies of KeePass are found under C:\Program Files (x86)\KeePass by default.
Extract the password database file and place it somewhere on the system. Note that it has a size of 23 Gigabytes in plain text format right now, the download has a size of roughly 9 Gigabytes.
Start the KeePass password manager afterward and select Tools > HIBP Offline Check in the program's interface. Click on Browse and select the password database file that you extracted to the system.
You may change other parameters, e.g. the column name in KeePass or the text that is displayed for secure and insecure passwords.
Last but not least, select View > Configure Columns, and activate the Have I Been Pwned column to display the findings of the check in the interface.
You have multiple options to check passwords against the database file.
The plugin checks any updated password against the database automatically. The plugin checks the password's hash against the hash database to determine if it has been leaked.
A hit does not necessarily mean that the password is known to third-parties as it depends on the password's strength and the capabilities of the third-party to decrypt it.
It is still recommended that you change passwords that are found in the Have I Been Pwned database. Just visit the site or service in question, and start the change password process on the site.
You may use KeePass to generate strong secure passwords; these are checked automatically against the Have I Been Pwned database again so that you get verification on that end as well.
The main benefit of the method is that all checks are done locally. The downside that you need to download new releases regularly to check against the latest version of the leaked password database file.
Now you: which password manager do you use?Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.