I stumbled upon this thread earlier today on the 1Password forums, and I should definitely agree with what Brenty said. It’s an excellent script to quickly check your 1Password passwords list with haveibeenpwned.com‘s compromised passwords database!
If you are a 1Password user, you should noticed that with 1Password 7 app on Mac And Windows, there’s a new feature/section called Vulnerable Passwords that ensures that your password on the 1Password list is not one that is compromised in a data breach.
This GUI app is handy, but it’s challenging to check the status each password.
That’s where this script helps.
- Get 1Password CLI app and set it up.
- Get JQ. Homebrew command if you are on Mac –
brew install jq
- Download this script .zip file, extract it, enter into that folder using terminal and use
./1passwordpwnedcheck.sh
to perform the test. You will be asked to signin into your 1Password account if you are not at that time.
Do note that the 1Password CLI app logs you out every 30 minutes. This is as explained by Session tokens expire after 30 minutes of inactivity, after which you’ll need to sign in again.
on the 1Password CLI setup page.
In case you want to copy the script from here.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
######################################################################################## | |
# 1passwordpwnedcheck.sh – script to check 1password entries against known compromised | |
# passwords from haveibeenpwned.com | |
# | |
# Requirements: | |
# 1password CLI tool – https://app-updates.agilebits.com/product_history/CLI | |
# jq json parser – https://stedolan.github.io/jq/ | |
# | |
# Resources: | |
# https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ | |
# https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ | |
# https://gist.github.com/IcyApril/56c3fdacb3a640f37c245e5813b98b99 | |
######################################################################################## | |
echo "Checking 1Password items against haveibeenpwned.com password list." | |
echo "Be patient, this might take a while." | |
item_uuids=$(op list items | jq -c -r '.[].uuid') | |
pwnd_count=0 | |
for uuid in ${item_uuids}; do | |
_checkhash(){ | |
hash="$(echo -n ${1}| openssl sha1)" | |
upperCase="$(echo $hash | tr '[a-z]' '[A-Z]')" | |
prefix="${upperCase:0:5}" | |
response=$(curl -s https://api.pwnedpasswords.com/range/$prefix) | |
while read -r line; do | |
lineOriginal="$prefix$line" | |
if [ "${lineOriginal:0:40}" == "$upperCase" ]; then | |
title=$(_gettitle $uuid) | |
echo "Oh no! $title password pwned! You should probably change that one." | |
(( pwnd_count += 1 )) | |
fi | |
done <<< "$response" | |
} | |
_gettitle(){ | |
echo "$(op get item ${1} | jq -r '.overview.title?')" | |
} | |
pwd=$(op get item $uuid | jq -r '.details.fields[] | select(.designation == "password")|.value?' 2> /dev/null) | |
_checkhash "$pwd" | |
done | |
if [ $pwnd_count -eq 0 ]; then | |
echo "Good news! No pwnd passwords found!" | |
else | |
echo "Done. You have $pwnd_count passwords that need changing." | |
fi | |
exit 0 |
Leave a reply