A Rust CLI that provides a variety of ways to check the "health" of a given KeePass database, including checking passwords against the Have I Been Pwned password list.
WARNING: This software is a work in progress and still experimental. I would NOT use it with real KeePass databases or passwords just yet. I wrote a blog post about this project.
Medic provides four ways to check the "health" of a given KeePass database. Here's the current menu:
To check your KeePass database's passwords, do you want to: ==> 1. Check for weak passwords ==> 2. Check for duplicate passwords ==> 3. Check OFFLINE for breached passwords: Give me a database of SHA-1 hashed passwords to check your KeePass database against ==> 4. Check ONLINE for breached passwords: I will hash your passwords and send the first 5 characters of each hash over the internet to HaveIBeenPwned, in order to check if they've been breached.
Option 1 uses zxcvbn to find weak passwords in the given KeePass database.
Option 2 simply finds entries which have the exact same password. (Password re-use is bad.)
Option 3 requires users to download a large list of SHA-1 hashes of breached or compromised passwords. I tailored it to work with the Pwned Passwords lists from HaveIBeenPwned, which anyone can download here. Medic will then display a list of any passwords from the given KeePass database that also appear in the list of breached passwords.
Option 4 pings the Pwned Passwords API, sending the first 5 characters of the SHA-1 hash of each of your passwords. The HIBP API returns a number of matches, at which point the tool iterates through looking for the full hash match. If it finds a match it display that information, as well as how many times that password appears in the database.
- Install Rust if you haven't already
- Clone down the repo
- Optional: If you'd like to check if any of your passwords have been breached without sending any information about them over the internet, you'll need to download the Pwned Passwords list, ideally via torrent*. Choose the SHA-1 version, the one ordered by prevalence. You'll need about 35 GB of space free to do this. The torrent downloads a
.7zcompressed file. Double click it to extract it to a ~22 GB text file. That's what this program will need to work with.
* If you're new to torrents, Transmission is a decent choice for an application to download torrents, which apparently works on Mac and Windows. (Personally, on Kubuntu, I used KTorrent.) Once you have Transmission or another torrent-handling application installed, click the green "torrent" button on the Pwned Passwords site. Save the (very small)
.torrent file to your computer, then open that file with your torrent-downloading software. You may have to click "OK" or "Start", but once you do you'll be (probably slowly) downloading hundreds of millions of hashed passwords.
Running the tool
- While in the folder of this tool, run
cargo run --releaseor
- Make a choice from the presented menu (see above).
- Follow the subsequent instructions.
If you're worried about this tool sending any information over the internet without your knowledge, you can run it in "Paranoid mode".
In "Paranoid mode", Medic can only open KeePass databases if your computer is disconnected from the internet.
To run Medic in Paranoid mode, run
cargo run --release -- -p. You'll be presented with a more-limited menu of options. Before making a menu choice, turn off your connection to the internet.
How I chose to use this tool
- Download the PwnedPasswords list (11 GB compressed, 22GB extracted).
- Open your KeePass database in KeePassXC or whatever desktop app you use to open your database.
- Export your KeePass database to a CSV file (In KeePassXC:
Databasemenu > "Export to CSv...") (Heads up, this file includes your passwords, so be careful).
- Lock your KeePass database.
- Clone down this tool and set it up following the instructions above.
- Run Medic by entering the following command:
cargo run --release
- Choose to perform the offline PwnedPasswords check. Optional: Search for weak or duplicate passwords. Copy and paste results in a new, local text document.
- When finished, securely delete that exported CSV file. If on MacOS, run
srm <file_name>.csv. On Ubuntu-based Linux distross, try
shred -ufv --iterations=45 <file_name>.csv. Your sensitive data should now be safely deleted, but feel free to securely delete Medic itself if so inclined.
- Better error handling
- Write more tests
- Handle entries with blank passwords better
- Offer an option to check for similar passwords (maybe using zxcvbn?)
- Design/commission a logo?!
- A KeePass extension for checking against HaveIBeenPwned
- HIBPOfflineCheck - A Keepass plugin that performs offline checks against the haveibeenpwned passwords file