Workshop: Check passwords stored in KeePass against data leaks

KeePass is a great password manager, but by default, it doesn't check stored passwords against data leaks. We'll show you how to add this feature using an additional plug-in.

Data leaks pose a significant problem for many companies. Cyber attackers often steal access data without detection and gain unauthorized access to business resources via the Internet. One of the most crucial protective measures against this threat is a secure Virtual Private Network (VPN), which makes it impossible for confidential connections to be spied on.

Multi-factor authentication (MFA) provides an extra layer of security against attacks involving stolen access credentials. When logging in, MFA requires the entry of a time-limited one-time password (OTP) in addition to the user ID and password combination. However, not all companies are consistently using MFA yet. Additionally, MFA may not be supported by all cloud providers.

Companies have different ways to achieve the use of secure passwords. The most important measures include:

• Password policy: This policy prevents passwords from being easy to guess or crack. For example, it requires a minimum length of 12 or 20 characters and the use of upper- and lowercase letters, numbers, and special characters.
• Changing passwords regularly: Changing passwords regularly can help protect your accounts. For example, making regular changes every 90 days can render stolen passwords unusable.
• Password manager: These tools help employees create individual, complex, and virtually impossible-to-guess passwords for each application they use.

How to effectively set up and use the KeePass password manager

KeePass password manager is a reliable open-source tool that companies can use for free. The program creates strong passwords and securely stores them in an encrypted database. This data is safeguarded by a master password, which is the only means to access the database.

Even less technically experienced employees can usually install and use KeePass without any problems. For each account, a new database entry can be created, which contains information such as the user name for an application or service, the password, a clickable URL, and a large comment field for notes.

KeePass provides the option to set background colors in the "Properties" tab to quickly locate important entries. It also generates a log of all changes for each database entry, which can be found in the "History" tab. Additionally, you can use the "Compare" function to compare multiple log entries and identify even the smallest changes.

Check your own passwords against leaks with KeePass

You can enhance KeePass by incorporating plugins. One such extension can automatically check stored passwords against the Have I Been Pwned? (HIBP) database. This database contains information about numerous passwords that have been exposed in online leaks over the past few years, and it is maintained by renowned security expert Troy Hunt.

The passwords found in any of these leaks should not be used anymore. It's important to assume that cyber attackers have access to this data and have likely added it to their dictionaries. This means they can easily discover passwords in a short amount of time without having to use the brute force method.

The KeePass plug-in "HIBP Offline Check" does not transmit the data stored in the password manager to Have I Been Pwned?, only the hash. Each record (and each password) has such a unique hash that can be calculated. The actual password cannot be derived from this value. If the plug-in finds a match with the data stored in HIBP, you should change the associated password immediately, as it is compromised.

Set up the KeePass plug-in HIBP Offline Check

Adding HIBP Offline Check into KeePass is easy and done in a few moments. First, download the plug-in from the developer's website. To do this, click on "Releases" on the right and then on the file "HIBPOfflineCheck.plgx". Save them on your computer's hard drive. 

Then open KeePass and select “Tools, Plug-ins”. This will open the plug-in window by clicking on "Open folder" at the bottom. Copy the downloaded file to this folder, close the plug-in window and restart KeePass.

Then right-click any column title in the KeePass main window. Select “Configure columns” and scroll down to the “Provided by plug-ins” section. Place the check mark in front of "Have I Been Pwned?" and confirm with "OK". This will display the column "Have I Been Pwned?".

Check the passwords in KeePass against data leaks

Each time you create a new database entry in KeePass or change an existing one, the plug-in on the HIBP website checks whether the hash of the associated password is already known there. If this is the case, the note "pwned" will appear in the new column, followed by an indication of how often the password has already appeared in leaks. If, on the other hand, it is an unknown password, it is displayed in the "Secure" column. Check older entries by double-clicking on the corresponding row in the HIBP column.

If you do not want to perform an online check despite the hashing method, download the current database with the hashes of all passwords known to HIBP and add them into KeePass. To do this, use the PwnedPasswordsDownloader. After downloading, go to "Tools, HIBP Offline Check" in KeePass. There, under "Check mode", activate the "Offline" option and specify the path to the downloaded file below it. Done.

Passkeys offer a password-free IT world and lower the risk of compromised accounts. While their widespread adoption is still in progress, you can learn more about passkey technology and its benefits in our blog post "What's behind the new passkeys".

Read What's behind the new passkeys"