Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

LastPwn ';-- have my LastPass passwords been pwned?

You can check single passwords using haveibeenpwned.com's web interface or its awesome REST API

But how can you check all my LastPass passwords against HIBP? There is this tool which works pretty well but it won't work for those of us who are paranoid and don't like the idea of revealing even 5 hex digits of their precious password hashes.

So can you do it offline? Yes. Download the pwned passwords list (make sure to get SHA1 one ordered by hash), unpack the file, and grep through it run this tool.

Security

The LastPass exported CSV file contains your plaintext passwords. For security, download it to RAM rather than disk.

If you are on Linux, create a directory in /dev/shm:

mkdir /dev/shm/pws

If you are on Mac, create a RAM disk:

diskutil erasevolume HFS+ "pws" `hdiutil attach -nomount ram://2048`

Go to LastPass → Account Options → Advanced → Export → LastPass CSV File and save it as e.g. /dev/shm/pws/lastpass.csv

Running

python3 lastpwn.py /dev/shm/pws/lastpass.csv <path-to>/pwned-passwords-sha1-ordered-by-hash-v4.txt

Performance

Since the program is comparing two ordered lists, the processing takes virtually the same amount of time whether you have 10 passwords or 1 million passwords in the CSV file.

About

HIBP for LastPass

Resources

Releases

No releases published

Packages

No packages published

Languages