Keepass Password checker

check_password.sh

#!/bin/bash

# This oneliner checks on pwnedpasswords.com to see if any passwords in your keepass password database
# are passwords that have been leaked in attacks known by haveIbeenpwned.com
#
# Your passwords are not transmitted to the website. Instead only the first 5 char of the SHA1 has is provided
# the website then returns the remaining chars of the SHA1 hash. This script fetches and compares and then 
# prints the plain text of any passwords that match
#
# Usage (tested with KeePassX; other keepass clients might export differently):
# 1. Export your keepass database to a text file (File -> Export to -> Text File) named keepass
# 2. run this script (or copy paste it into a shell) in that same dir.
#
# It's recommended that the dir is on a ramdisk or encrypted so that your plaintext passwords don't remain as
# file fragments on your disk

ifs=$IFS; IFS=$'\n'; for password in $(grep Password keepass | cut -b13-); do SHA=$(echo -n $password |sha1sum | cut -f1 -d\ ); curl -s https://api.pwnedpasswords.com/range/$(echo $SHA | cut -b1-5)| grep -i $(echo $SHA | cut -b6-); if [[ $? -eq 0 ]]; then echo $password; fi; unset password; done; IFS=$ifs

More detailed API explaination. This oneliner DOES write the plaintext passwords to your shell window for any matches. You probably want to make sure to clear the scrollback buffer.

If you're using bash you can unset HISTFILE before exiting the shell to ensure any commands you type aren't saved to the ~/.bash_history file. This isn't a bad idea as you might be tempted to grep password keepass -C5 to figure out which site that password was used on. You should probably read -sp "Password: " password; grep $password keepass -C5; unset password instead so other processes can't spot your passwords by polling ps