Last active
January 18, 2023 18:42
Star
You must be signed in to star a gist
Check 1Password passwords against havibeenpwned.com password database.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
######################################################################################## | |
# 1passwordpwnedcheck.sh - script to check 1password entries against known compromised | |
# passwords from haveibeenpwned.com | |
# | |
# Requirements: | |
# 1password CLI tool - https://app-updates.agilebits.com/product_history/CLI | |
# jq json parser - https://stedolan.github.io/jq/ | |
# | |
# Resources: | |
# https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ | |
# https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ | |
# https://gist.github.com/IcyApril/56c3fdacb3a640f37c245e5813b98b99 | |
######################################################################################## | |
echo "Checking 1Password items against haveibeenpwned.com password list." | |
echo "Be patient, this might take a while." | |
item_uuids=$(op list items | jq -c -r '.[].uuid') | |
pwnd_count=0 | |
for uuid in ${item_uuids}; do | |
_checkhash(){ | |
hash="$(echo -n ${1}| openssl sha1)" | |
upperCase="$(echo $hash | tr '[a-z]' '[A-Z]')" | |
prefix="${upperCase:0:5}" | |
response=$(curl -s https://api.pwnedpasswords.com/range/$prefix) | |
while read -r line; do | |
lineOriginal="$prefix$line" | |
if [ "${lineOriginal:0:40}" == "$upperCase" ]; then | |
title=$(_gettitle $uuid) | |
echo "Oh no! $title password pwned! You should probably change that one." | |
(( pwnd_count += 1 )) | |
fi | |
done <<< "$response" | |
} | |
_gettitle(){ | |
echo "$(op get item ${1} | jq -r '.overview.title?')" | |
} | |
pwd=$(op get item $uuid | jq -r '.details.fields[] | select(.designation == "password")|.value?' 2> /dev/null) | |
_checkhash "$pwd" | |
done | |
if [ $pwnd_count -eq 0 ]; then | |
echo "Good news! No pwnd passwords found!" | |
else | |
echo "Done. You have $pwnd_count passwords that need changing." | |
fi | |
exit 0 |
Just to note, havibeenpwned.com
is wrong on multiple lines. An e
is missing. It has to be haveibeenpwned.com
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is an execellent script. Thank you for making this! :)
Steps to use for new visitors:
brew install jq
./1passwordpwnedcheck.sh
to perform the test.