This script facilitates checking of KeePass passwords for pwnage - or in other words, it checks if they've been leaked online. It works with the haveibeenpwned API and PowerShell.
- Secure your workspace (optional - see below).
- Download the script from this repo to your PC and open it in the Windows PowerShell ISE.
- Review the script code and make sure you understand how it works.
- Run
Set-ExecutionPolicy Unrestricted -Scope Process
which will allow the script to run. - Run the script.
- When prompted, select your KeePass CSV export saved in a secure area.
- When the script is finished, look for a file containing "_pwned.csv" in the same folder.
- Open the file in Excel or another editor, review and change any pwned passwords.
- Don't panic. Just because a password has been leaked online, doesn't mean that the account(s) associated with it have been compromised.
The script utilises haveibeenpwned's k-anonymity API and works in PowerShell, which means that anyone can verify how this script works and trust that their password isn't provided to any third parties for the purposes of this check. Obviously disclosing passwords to third parties (no matter how trustworthy) or running arbitrary code on them is not a good idea. Users of this script are advised to read through it first and understand how it works. It is also a bad idea to export KeePass databases in clear text CSV form to unencrypted storage or other insecure locations. One way to quickly secure your workspace for the purposes of running this script is described below.
The KeePass export of the database shouldn't be saved as CSV to an unsecure location. One way to fox that would be to create a Cryptomator vault (open source) which can be used for this purpose and discarded.
- Install Cryptomator.
- Create a new vault and give it a very strong password generated by KeePass. The vault is just a bunch of encrypted files on disk that get mapped as a drive on your PC.
- Unlock the vault - this will map a new virtual drive on your computer.
- Use the new drive as the location where you save the KeePass CSV export.
- Lock and discard the vault or CSV files when finished.
This script does the following:
- Get CSV data exported from KeePass.
- Hash the passwords in sha1.
- Save the first five characters of the sha1 hash in a separate field. That way it is more obvious in the code that it is not sending the full hash to the API.
- Send the short hash to the API and get a list of matches from haveibeenpwned.
- Check if any of the results match the full hash saved locally.
- Mark any matches as pwned and export the results in a new CSV file.
This is not a "proper" PowerShell script. It has been designed to be readable by novice users and does not follow usual standards or conventions. It is meant to do one job and one job only - and that is to allow anyone to check password pwnage, while establishing trust in the process. If you're writing your own script based on this, you can check good practice conventions here.