pass-audit 1.2

Description:

passaudit 1.2

pass audit

A pass extension for auditing your password repository.
Description
pass audit is a password-store extension for auditing your password repository.
Passwords will be checked against the Python implementation of Dropbox'
zxcvbn algorithm and Troy Hunt's Have I Been Pwned Service.
It supports safe breached password detection from haveibeenpwned.com
using a K-anonymity method. Using this method, you do not need to
(fully) trust the server that stores the breached password. You should read the
security consideration section for more information.
Usage
usage: pass audit [-h] [-V] [-n NAME] [-v | -q] [pass-names]

A pass extension for auditing your password repository. It supports safe
breached password detection from haveibeenpwned.com using K-anonymity method,
duplicated passwords, and password strength estimaton using zxcvbn.

positional arguments:
pass-names Path(s) to audit in the password store, If empty audit the full store.

options:
-h, --help show this help message and exit
-V, --version Show the program version and exit.
-n NAME, --name NAME Check only passwords with this filename
-v, --verbose Set verbosity level, can be used more than once.
-q, --quiet Be quiet.

More information may be found in the pass-audit(1) man page.

See man pass-audit for more information.
Examples
Audit a subfolder for pwned passwords
pass audit goodpasswords/
(*) None of the 7 passwords tested are breached.
. But it does not means they are strong.

pass audit pwnedpasswords/
w Password breached: password from Password/pwned/5 has been breached 3303003 time(s).
w Password breached: correct horse battery staple from Password/pwned/2 has been breached 2 time(s).
[x] Error: 7 passwords tested and 2 breached passwords found.
. You should update them with 'pass-update'.

Security consideration
This program uses K-anonymity to retrieve the knowledge of breached passwords
from HIBP server. K-anonymity applied to breached password check on an untrusted
remote server is a recent cryptographic approach. It means only the first five
characters of the SHA1 hash of your password is sent to the server. It offers
decent anonymity; nevertheless, it is not an entirely secure solution.
More reading:

https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

Installation
Requirements

pass 1.7.0 or greater.
Python 3.6+
python3-setuptools to build and install it.
python3-requests (apt install python3-requests or pip3 install requests)
python3-zxcvbn (pip3 install zxcvbn)

ArchLinux
pass-audit is available in the Arch User Repository.
yay -S pass-audit # or your preferred AUR install method

Debian/Ubuntu
pass-audit is available under my own debian repository with the package name
pass-extension-audit. Both the repository and the package are signed with
my GPG key: 06A26D531D56C42D66805049C5469996F0DF68EC.
wget -qO - https://pkg.pujol.io/debian/gpgkey | sudo apt-key add -
echo 'deb [arch=amd64] https://pkg.pujol.io/debian/repo all main' | sudo tee /etc/apt/sources.list.d/pkg.pujol.io.list
sudo apt-get update
sudo apt-get install pass-extension-audit

FreeBSD
# install the binary package
pkg install py36-pass-audit

# or build it using the ports tree
make -C /usr/ports/security/py-pass-audit install clean

Using pip
pip install pass-audit

From git
git clone https://github.com/roddhjav/pass-audit/
cd pass-audit
python3 setup.py install

Stable version
wget https://github.com/roddhjav/pass-audit/releases/download/v1.2/pass-audit-1.2.tar.gz
tar xzf pass-audit-1.2.tar.gz
cd pass-audit-1.2
python3 setup.py install

Releases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC.
You should check the key's fingerprint and verify the signature:
wget https://github.com/roddhjav/pass-audit/releases/download/v1.2/pass-audit-1.2.tar.gz.asc
gpg --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC
gpg --verify pass-audit-1.2.tar.gz.asc

Local install
Alternatively, from git or a stable version you can do a local install with:
cd pass-audit
python3 setup.py install --user

Remember to set PASSWORD_STORE_ENABLE_EXTENSIONS to true for the local
extension to be enabled.
Contribution
Feedback, contributors, pull requests are all very welcome.
Contributors

Tobias Girstmair (zxcvbn)

License
Copyright (C) 2018-2022 Alexandre PUJOL and Contributors

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.