Instantly share code, notes, and snippets.

Embed
What would you like to do?
Check 1Password passwords against havibeenpwned.com password database.
#!/bin/bash
########################################################################################
# 1passwordpwnedcheck.sh - script to check 1password entries against known compromised
# passwords from havibeenpwned.com
#
# Requirements:
# 1password CLI tool - https://app-updates.agilebits.com/product_history/CLI
# jq json parser - https://stedolan.github.io/jq/
#
# Resources:
# https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
# https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
# https://gist.github.com/IcyApril/56c3fdacb3a640f37c245e5813b98b99
########################################################################################
echo "Checking 1Password items against havibeenpwned.com password list."
echo "Be patient, this might take a while."
item_uuids=$(op list items | jq -c -r '.[].uuid')
pwnd_count=0
for uuid in ${item_uuids}; do
_checkhash(){
hash="$(echo -n ${1}| openssl sha1)"
upperCase="$(echo $hash | tr '[a-z]' '[A-Z]')"
prefix="${upperCase:0:5}"
response=$(curl -s https://api.pwnedpasswords.com/range/$prefix)
while read -r line; do
lineOriginal="$prefix$line"
if [ "${lineOriginal:0:40}" == "$upperCase" ]; then
title=$(_gettitle $uuid)
echo "Oh no! $title password pwned! You should probably change that one."
(( pwnd_count += 1 ))
fi
done <<< "$response"
}
_gettitle(){
echo "$(op get item ${1} | jq -r '.overview.title?')"
}
pwd=$(op get item $uuid | jq -r '.details.fields[] | select(.designation == "password")|.value?' 2> /dev/null)
_checkhash "$pwd"
done
if [ $pwnd_count -eq 0 ]; then
echo "Good news! No pwnd passwords found!"
else
echo "Done. You have $pwnd_count passwords that need changing."
fi
exit 0
@arunsathiya

This comment has been minimized.

arunsathiya commented Aug 7, 2018

This is an execellent script. Thank you for making this! :)

Steps to use for new visitors:

  • Get 1Password CLI app and set it up.
  • Get JQ. Homebrew command if you are on Mac - brew install jq
  • Download this script .zip file, extract it, go into that folder using terminal and use ./1passwordpwnedcheck.sh to perform the test.
@arunsathiya

This comment has been minimized.

arunsathiya commented Aug 7, 2018

Just to note, havibeenpwned.com is wrong on multiple lines. An e is missing. It has to be haveibeenpwned.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment