pass audit

A pass extension for auditing your password repository.

Description

pass audit is a password-store extension for auditing your password repository. Passwords will be checked against the Python implementation of Dropbox' zxcvbn algorithm and Troy Hunt's Have I Been Pwned Service. It supports safe breached password detection from haveibeenpwned.com using a K-anonymity method. Using this method, you do not need to (fully) trust the server that stores the breached password. You should read the security consideration section for more information.

Usage

usage: pass audit [-h] [-V] [-n NAME] [-v | -q] [pass-names]

 A pass extension for auditing your password repository. It supports safe
 breached password detection from haveibeenpwned.com using K-anonymity method,
 duplicated passwords, and password strength estimation using zxcvbn.

positional arguments:
  pass-names            Path(s) to audit in the password store, If empty audit the full store.

options:
  -h, --help            show this help message and exit
  -V, --version         Show the program version and exit.
  -n NAME, --name NAME  Check only passwords with this filename
  -v, --verbose         Set verbosity level, can be used more than once.
  -q, --quiet           Be quiet.

More information may be found in the pass-audit(1) man page.

See man pass-audit for more information.

Examples

Audit a subfolder for pwned passwords

pass audit goodpasswords/
(*) None of the 7 passwords tested are breached.
 .  But it does not means they are strong.

pass audit pwnedpasswords/
 w  Password breached: password from Password/pwned/5 has been breached 3303003 time(s).
 w  Password breached: correct horse battery staple from Password/pwned/2 has been breached 2 time(s).
[x] Error: 7 passwords tested and 2 breached passwords found.
 .  You should update them with 'pass-update'.

Security consideration

K-anonymity

This program uses K-anonymity to retrieve the knowledge of breached passwords from HIBP server. K-anonymity applied to breached password check on an untrusted remote server is a recent cryptographic approach. It means only the first five characters of the SHA1 hash of your password is sent to the server. It offers decent anonymity; nevertheless, it is not an entirely secure solution.

More reading:

• https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
• https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

Mandatory Access Control (MAC)

AppArmor profiles for pass and pass-audit are available in apparmor.d. If your distribution support AppArmor, you can clone the apparmor.d and run: sudo ./pick pass pass-import to only install these AppArmor security profiles.

Network

pass-audit only needs to establish network connection to connect to the haveibeenpwned.com server.

Password Update

You might also want to update the passwords imported using pass-update.

Installation

Requirements

• pass 1.7.0 or greater.
• Python 3.6+
• python3-setuptools to build and install it.
• python3-requests (apt install python3-requests or pip3 install requests)
• python3-zxcvbn (pip3 install zxcvbn)

ArchLinux

pass-audit is available in the Arch User Repository.

yay -S pass-audit  # or your preferred AUR install method

Debian/Ubuntu

pass-audit is available under my own debian repository with the package name pass-extension-audit. Both the repository and the package are signed with my GPG key: 06A26D531D56C42D66805049C5469996F0DF68EC.

wget -qO - https://pkg.pujol.io/debian/gpgkey | sudo apt-key add -
echo 'deb [arch=amd64] https://pkg.pujol.io/debian/repo all main' | sudo tee /etc/apt/sources.list.d/pkg.pujol.io.list
sudo apt-get update
sudo apt-get install pass-extension-audit

FreeBSD

# install the binary package
pkg install py36-pass-audit

# or build it using the ports tree
make -C /usr/ports/security/py-pass-audit install clean

Using pip

pip install pass-audit

From git

git clone https://github.com/roddhjav/pass-audit/
cd pass-audit
python3 setup.py install

Stable version

wget https://github.com/roddhjav/pass-audit/releases/download/v1.2/pass-audit-1.2.tar.gz
tar xzf pass-audit-1.2.tar.gz
cd pass-audit-1.2
python3 setup.py install

Releases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC. You should check the key's fingerprint and verify the signature:

wget https://github.com/roddhjav/pass-audit/releases/download/v1.2/pass-audit-1.2.tar.gz.asc
gpg --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC
gpg --verify pass-audit-1.2.tar.gz.asc

Local install

Alternatively, from git or a stable version you can do a local install with:

cd pass-audit
python3 setup.py install --user

Remember to set PASSWORD_STORE_ENABLE_EXTENSIONS to true for the local extension to be enabled.

Contribution

Feedback, contributors, pull requests are all very welcome.

Contributors

• Tobias Girstmair (zxcvbn)

License

Copyright (C) 2018-2022  Alexandre PUJOL and Contributors

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.