The pwned-passwords-1.0.txt file is a massive but sorted list of sha1 hashes.
grep takes forever to go through it for a single password (it doesn't know anything about digging through sorted files) .. on the other hand, a tool I found to be helpful is: sgrep - https://sourceforge.net/projects/sgrep/ Which assumes a file with sorted lines and does a binary search through it. With that tool installed, I can dig through my password database of some 300 encrypted passwords, decrypt them, hash them, and find them in the file in about a minute total (slow machine with encrypted magnetic storage). Here's the command line used: find ~/.password-store -name '*.gpg' -exec sh -c "/usr/local/bin/sgrep \$(gpg2 -d -q < \"{}\" | head -n 1 | tr -d '\\n' | sha1sum | cut -f 1 '-d ' | tr [a-z] [A-Z]) pwned-passwords-1.0.txt" \; -printf "MATCH %f with " -exec sh -c "gpg2 -d -q < \"{}\" | head -n1" \; I imagine this sort of thing might be useful as a plugin and broken out into many lines, as it's a mess... but I thought it'd be very helpful. It does end up with some false positives if you store empty password fields, but it is useful nonetheless. If there's any other massive password stores to scan against, perhaps we can setup a wiki page with references to password dumps and references on how to use this (in this case a shell script + sgrep to go through it). In general, a randomly generated password should probably not ever match the list, but for dealing with old accounts / manually generated passwords - it seems an invaluable utility. -- Thomas Harning Jr. (http://about.me/harningt)
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
