kapsir / haveibeenpwnedkeepassplugin Goto Github PK

Hi,

I just find your plugin. I have get already more than 200 entries in my Keepass DB. I launch a check on all entries which report 41 entries powned. How can i know which ones is powned ? Can you report the list ?

Thanx

OS: Windows 7 64-bit SP2
KeePass v2.49
HaveIBeenPwnedPlugin v0.7.0

** Issue:
Pressing OK on an Edit Entry window to save it causes entry list in the main window to refresh. Sometimes this occurs instantly, while other times it occurs after 1-5 seconds. Any applied search filter is lost and the selected entry is often scrolled out of view as KeePass2 switches/refreshes the list to show all entries in the selected entry's Group.

** Notes:
KeePass normally highlights an entry's left-pane Group after selecting a result from a successful search, but it does not refresh the right-pane entry list after editing an entry, even if changes are made; the view remains the same. The entry list remains as-is, allowing the user to easily perform further actions with that entry.

However, HaveIBeenPwnedPlugin appears to cause the right-pane entry list to be refreshed after a 0-5 second delay and this causes either or both of the following results:

1. Search result is lost and all entries in the edited entry's Group are sorted with the default (currently set) method.
2. Selected entry is often scrolled upward out of view except when the entry is near the top or bottom of the default sorted list or all Group entries fit into one view. This behavior is not exactly predictable, but entries are generally scrolled upward and out of view.

The selected entry remains selected and can be immediately re-opened by using the keyboard Enter key, but the entry is usually out of view. Since the user typically uses the mouse to press the OK button in the Edit Entry window, they have the mouse in-hand and will need to scroll the entry list to find and re-open the selected entry or to drag-n-drop the username and/or password from that entry.

This behavior has been confirmed in combination with other plugins and when using HaveIBeenPwnedPlugin as the only active plugin.

Thanks for your time regarding this post and for your work in developing and maintaining this useful plugin. Apologies in advance if this report is inaccurate or falsely attributed.

https://haveibeenpwned.com/API/v3#PwnedPasswordsPadding

When I do Check all passwords I get:

But when I do Check current password I actually see nothing?
Ref: #6 (comment)

I think Check current password should behave like https://haveibeenpwned.com/Passwords
For example, if a user wants to verify password 12345, the website comes back with message:

I suspect that novice users won't even know what the plugin does without such functionality.

I tested it with v0.6.0 together with KeePass 2.46.

When I run the check, some entries get tagged and even get tag data about how many times it has been used. The database changes to modified state because tags are assigned. But when I save the database all tags disappear.

It's discussable, whether a tag changes the content of a box or not. But the developers of KeePass decided for the former, only items with changed modified date are really saved.

While it may be a feature to assign the HIBP result tags only temporary, why should I bother to assign ignore tags, if they are lost?

Could you create and provide an plgx plugin file in your releases, please?
I'd like to create an NixOS package of your plugin. And the plgx would be more suitable in this case for compatibility reasons.

Details:
Tests if we can enable it in general are necessary (otherwise we have to check for the OS version)

Hi, it would be nice to tag an entry or something to exclude it from checking. The condition could be extended similiar to ignoring expired entries.
1.

private const string IgnoreTag = "ignore-pwned";

if (!pwEntry.Tags.Contains(IgnoreTag)) {
    // ...
}

entries = entries.Where(entry => !entry.contains(IgnoreTag));

Hi Ralph

First of all thank you for this nifty plugin.

This issue here is not a code issue but more of a theoretical and organisational one.

Since credentials, passwords, API tokens etc. stored in KeePass files are highly sensitive and thus quite valuable for hackers, preventing any security incidents is absoutely essential.

Now, when one uses your plugin, especially in a professional environment, your plugin or better said you, your GitHub account and the plugin repo become part of the potential attack surface.

Because of this, I was wondering if you are aware of this and what security measures have you in place to prevent things like:

• Taking over your GitHub account
• Manipulation of the plugin's code
• Injecting malicious code in the release artifacts

For example, do all of the developers who have write access to the plugin have 2FA activated in GitHub?
Or is there another developer besides you with admin access to the repo in case of an incident?

Greetings from Basel
Marc

If there is no connectivity (no dns, socket error), an exception is thrown.

Can this plugin be installed not on Windows but on Linux(ubunut) instance of keepass2 ?

Thx

Enable deterministic builds with a path map.
This makes the binaries reproducible at the byte-code level.

Hi,

Today, I was informed about the newest release available 0.8.0.4 (already installed):

But when I checked the last available release here on the GitHub repo, I just found version v0.8.0.

Also, there was no such tag .

I found a commit, though, in which the version number was changed to 0.8.0.4.

The only differences between v0.8.0 and 0.8.0.4 seem to be

1. This makes the v8.0 release public (update check shows new version available)
2. Fix changelog reference link

I was confused as why the "official" release wasn't the one I was informed about.

It would be great, if there was always a corresponding release including a change log entry.

Thus, in this case I would have either expected to find just a release 0.8.0.4, including the x.y.z.4, or one in addition to a 0.8.0 release.

When there are a lot of passwords, at this time we can't see any indicator on the status of the checks.