KeePass password check integration with leakage database

Original author: Martin Brinkmann
  • Transfer
This article describes in steps the process of integrating password security checks in the KeePass password manager. The checks use the latest Have I Been Pwned database, where leaked passwords are stored, and it all works locally, so you do not have to worry about the possibility of password leaks leaking to the Internet.

KeePass is an excellent password manager for the desktop, by default it stores databases locally. It is rich in various capabilities, and since 2016 it is subject to regular auditing .

Have I Been Pwned - an online service to check if one of your online accounts has been compromised during any password leaks.

Some password managers, such as 1Password, offer the ability to verify a password in this database.


KeePass users can do the same, only locally. Here is what you need:

Place the plugin in the KeePass plugin directory. It has open source code, and you could make it from scratch if you had the right skills. By default, KeePass is installed in C: \ Program Files (x86) \ KeePass.

Unpack the database with passwords to any directory. In text form, it takes 23 GB, and in compressed for download - 9 GB.

Launch KeePass and select Tools> HIBP Offline Check. Click Browse and select the password file that you previously unpacked.

In the dialog, you can change other parameters, for example, the name of a column in KeePass or the text that is displayed for secure and dangerous passwords.

Finally, select View> Configure Columns and activate the Have I Been Pwned column to see the results of the finds in the database.

Checking KeePass passwords in Have I Been Pwned

There are several ways to check passwords for a database.
  1. Double click on the field with any password.
  2. You can select multiple items, right-click, and Selected Entries> Have I Been Pwned database.

The plugin automatically checks for any updated password in the database. The plugin compares the password hash with the database hash to see if it has leaked.

The coincidence with the base of leaked passwords does not automatically mean that the password has become known to third parties - it all depends on the complexity of the password and the ability of third parties to decrypt it.

What can be done with leaked passwords

It may be recommended to change the passwords found in Have I Been Pwned. Just go to the site or select the desired service, and change the password on it manually.

KeePass can be used to generate secure passwords; they are automatically checked for the presence of Have I Been Pwned in the database, so you should not worry about that either.


The main advantage of this method is the locality of all checks. The disadvantage is that you have to regularly download new releases of the database and check passwords for the presence in them.

And which password manager do you use?

Also popular now: