roddhjav / pass-audit Goto Github PK

If I run pass audit, then I expect it to prompt for the passphrase to my key (which it does) and then check all my passwords against the HIBP database. Unfortunately, it only checks part of my database. The output is the following:

  .  Auditing whole store - this may take some time
 (*) None of the xx passwords tested are breached.
  .  But this does not mean they are strong.

Unfortunately, I have yy passwords in my store. xx of those are in subdirectories, while the rest are in the base directory. While I don't know which passwords are being checked, I have a strong suspicion it's only checking passwords inside subdirectories. For reference, my organisation is as follows:

.password-store
- Folder
   - site1.gpg
   - site2.gpg
- site3.gpg
- site4.gpg

I believe that pass audit only checks the passwords stored in Folder in the above schema. I'm using OSX, if it makes any difference.

Hi @roddhjav ,

I wanted to say that pass audit is a great extension to pass.

Im not sure if you review these issues or if this is even an appropriate question but i thought I would ask anyway.

I ran pass audit and found a few of my passwords are raised as a Weak password (dictionary). An example is the one below (this is from a defuct account).
w Weak password detected: rxed5Q^$J2Sq from Games/EveOnline might be weak. Score 0 (461 guesses). This estimate is based on the sequence rxed5Q^$J2Sq(dictionary)

I understand that pass audit is just passing the password to hibp to evaluate it. But when I go to the hibp web portal, to the passwords section and check the password rxed5Q^$J2Sq its says 'no pwnage found'

Im not sure if I am missing something or if you can explain this difference?

Thanks

pass audit stopped processing the passwords with requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api.pwnedpasswords.com', port=443): Max retries exceeded with url:

I think might makes to add a small incremental delay with some max value to avoid this kind of problems.

Trying to audit all of my passwords, I ran:

pass audit

Since I am on the release version, I get:

[x] Error: pass-names not present. See 'pass audit -h'

So I tried the following:

pass audit -v /

Nothing is printed, and after several minutes, I killed the process:

^CTraceback (most recent call last):
  File "/usr/lib/password-store/audit/audit.py", line 258, in <module>
    main(sys.argv)
  File "/usr/lib/password-store/audit/audit.py", line 232, in main
    for path in store.list(arg.paths):
  File "/usr/lib/password-store/audit/audit.py", line 130, in list
    for file in glob.glob(prefix + '*/**/*.gpg', recursive=True):
  File "/usr/lib/python3.6/glob.py", line 20, in glob
    return list(iglob(pathname, recursive=recursive))
  File "/usr/lib/python3.6/glob.py", line 71, in _iglob
    for dirname in dirs:
  File "/usr/lib/python3.6/glob.py", line 72, in _iglob
    for name in glob_in_dir(dirname, basename, dironly):
  File "/usr/lib/python3.6/glob.py", line 110, in _glob2
    yield from _rlistdir(dirname, dironly)
  File "/usr/lib/python3.6/glob.py", line 138, in _rlistdir
    for y in _rlistdir(path, dironly):
  File "/usr/lib/python3.6/glob.py", line 138, in _rlistdir
    for y in _rlistdir(path, dironly):
  File "/usr/lib/python3.6/glob.py", line 138, in _rlistdir
    for y in _rlistdir(path, dironly):
  [Previous line repeated 65 more times]
  File "/usr/lib/python3.6/glob.py", line 133, in _rlistdir
    names = list(_iterdir(dirname, dironly))
  File "/usr/lib/python3.6/glob.py", line 122, in _iterdir
    for entry in it:
KeyboardInterrupt

Perhaps the extension is recursing through the .git subdirectory or the actual filesystem root? I would expect this to behave similarly to pass audit "", which does happen to work on the release version.

request: options for more verbose output, like checked this [[filename]], api response etc etc
btw very nice project, thank you.

Hey,
first of all, thanks for the great project!

I guess the title is pretty self-explanatory: it would be great if the passwords were also checked for duplicates, as it's best practice to not re-use passwords.

Off the top of my head and without diving into the codebase, I think this feature would pose 2 immediate challenges:

1. All passwords need to be hashed upfront and kept in memory to provide somewhat reasonable speed. This might be an issue for VERY large password-store's, but should generally be fine and could also be opt-in/-out.
2. What happens if only a subset of the password-store is audited. In this case, I think it's fine to also use the same subset to search for duplicates, as the user specifically requested not to touch the rest.

Hi @roddhjav,

would you mind rolling up a new release? I am preparing a submission to the FreeBSD ports tree and would love to submit a version containing password strength estimation (and the commit history suggests that the source is quite stable).

Thanks,
Tobias

I got the following error when auditing my store:

Traceback (most recent call last):
  File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.9/site-packages/pass_audit/__main__.py", line 151, in <module>
    main()
  File "/usr/lib/python3.9/site-packages/pass_audit/__main__.py", line 144, in main
    breached, weak = pass_audit(msg, data)
  File "/usr/lib/python3.9/site-packages/pass_audit/__main__.py", line 107, in pass_audit
    weak = audit.zxcvbn()
  File "/usr/lib/python3.9/site-packages/pass_audit/audit.py", line 88, in zxcvbn
    results = zxcvbn(password, user_inputs=user_input)
  File "/usr/lib/python3.9/site-packages/zxcvbn/__init__.py", line 28, in zxcvbn
    result = scoring.most_guessable_match_sequence(password, matches)
  File "/usr/lib/python3.9/site-packages/zxcvbn/scoring.py", line 204, in most_guessable_match_sequence
    optimal_match_sequence = unwind(n)
  File "/usr/lib/python3.9/site-packages/zxcvbn/scoring.py", line 181, in unwind
    for candidate_l, candidate_g in optimal['g'][k].items():
IndexError: list index out of range

Turns out it got thrown when checking an entry storing just OTP metadata and no password (i.e., with empty first line). The root of the problem seems to be that zxcvbn.zxcvbn crashes when given an empty string, but even so, I believe that pass-audit should recognize that the file has nothing to audit and ignore it/emit a warning. The fix seems to be quite simple, so I can prepare a PR soon.

I use pass with browserpass which relies on embedding the domain name in the path and optionally the username in the path
My employer has outsourced their e-mail service to microsoft but using the same active directory for the password and a slightly different username. There are a few other websites which require similar setups.

Since, in this case, I want to use the same password with different domains/usernames I have made a symlink from one location in the .passwordstore tree to another. An approach described that seems to meet with the approval of the browserpass maintainers at least.

This causes pass-audit to warn about duplicate passwords. While no doubt not very important it would be great if pass-audit didn't warn about duplicates when the "dupes" are a result of a single file having multiple names.

My gpg --lisk-keys lists a revoked key after my current key.

The current implementation for isvalid:

            for line in out.split('\n'):
                record = line.split(':')
                if record[0] == 'pub':
                    trust = record[1]
            if trust not in trusted:
                return False

only checks the trust level of the last found key, so in my setup I'm getting the "invalid user ID" error.

It looks like LBYL to me: code hard to implement that miss some cases. Should the EAFP style be used instead by just trying to access the password store, and catching an exception as needed? I haven't read the project history I bet this code is here for a reason.

Hi

thank you for great plugin.

The plugin doesn't find weak passwords when they contain the username.

for example

Username: LE0V
Password: 7cLE0V

would be great if you add that feature.

It appears that when checking password strength, pass-audit throws many false positives. This seems to be because it interprets a colon (:) in a password as some sort of delimiter rather than part of the password itself. Example:

$ pass audit --verbose websites/example.org
  w  Weak password detected: AbCD:De.f#gH11^-2j:/|KL,m from websites/example.org might be weak. Score 2 (51010000 guesses). This estimate is based on the sequence AbCD:(bruteforce) + De.f#gH11^-2j:/|KL,m(dictionary)
 [x] Error: 1 passwords tested and 0 breached, 1 weak passwords found.
  .  You should update them with 'pass-update'.

I followed the installation instructions for MacOS, and when I try running pass audit, I get:

\e[1;31m[x]\e[0m \e[1mError:\e[0m pass audit requires /usr/lib/password-store/audit/audit.py

The installation process installed this file, altough in /usr/local/lib, not /usr/lib.

Unsure as to what is going on here. The extension doesn't load in the shell? After running the commands from the README.md, relaunching the shell and then typing pass audit results in the following

Error: audit is not in the password store.

Hi,

First let me say (again, see #25) what a nice software pass-audit is, so thanks for that.

I'm a Debian Maintainer and I plan to package pass-audit for Debian.

I'm facing a delicate issue with packaging your software because of your effort to make a Debian packaging. Basically, Debian generally expect that the upstream release doesn't include a debian/ folder.

So I'm kindly asking if you would consider keeping this folder out of the (next) release tarballs?
I realize this could disrupt your release workflow but that would ease mine.

Thanks.

Cheers,
Thomas

At the end of the audit I have this error:

Traceback (most recent call last):
  File "/usr/lib/python3.7/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.7/site-packages/pass_audit.py", line 349, in <module>
    main(sys.argv)
  File "/usr/lib/python3.7/site-packages/pass_audit.py", line 338, in main
    weak = audit.zxcvbn()
  File "/usr/lib/python3.7/site-packages/pass_audit.py", line 261, in zxcvbn
    results = zxcvbn(password, user_inputs=user_input + path.split("/"))
  File "/usr/lib/python3.7/site-packages/zxcvbn/__init__.py", line 28, in zxcvbn
    result = scoring.most_guessable_match_sequence(password, matches)
  File "/usr/lib/python3.7/site-packages/zxcvbn/scoring.py", line 204, in most_guessable_match_sequence
    optimal_match_sequence = unwind(n)
  File "/usr/lib/python3.7/site-packages/zxcvbn/scoring.py", line 181, in unwind
    for candidate_l, candidate_g in optimal['g'][k].items():
IndexError: list index out of range

$ pass audit -V
pass audit 1.0.1
$ python --version
Python 3.7.3

I'm working on packaging pass-audit on fedora. The current setup.py provided data-files are only working for easy_install packages and not wheel ones (see https://setuptools.pypa.io/en/latest/userguide/datafiles.html#non-package-data-files ).

Since easy_install packages are deprecated, I'm proposing to rollback the installation to the Makefile (PR incoming).

For reference, the current WIP package is https://git.sr.ht/~xdbob/rpm-packages/tree/master/item/pass-audit