Merge pull request #34 from andrew-schofield/disable-unsafe-password-check

Disable unsafe password check

Author: andrew-schofield

Changelog.md

@@ -1,5 +1,8 @@
 # keepass2-haveibeenpwned Changelog
 
+### v1.2.3 - 2017-10-27
+* Temporarily disable the password check mode as it sends weakly hashed passwords (although encrypted) to HIBP.
+
 ### v1.2.2 - 2017-10-21
 * Alter the way developer extensions are referenced to prevent dependency on a specific version of KeePass
 

HaveIBeenPwned.plgx

@@ -61,36 +61,15 @@ await Task.Run(() =>
         private async Task<List<HaveIBeenPwnedPasswordEntry>> GetBreaches(IProgress<ProgressItem> progressIndicator, IEnumerable<PwEntry> entries)
         {
             List<HaveIBeenPwnedPasswordEntry> allBreaches = new List<HaveIBeenPwnedPasswordEntry>();
-            int counter = 0;
+            /*int counter = 0;
             SHA1 sha = new SHA1CryptoServiceProvider();
             foreach (var entry in entries)
             {
                 counter++;
                 progressIndicator.Report(new ProgressItem((uint)((double)counter / entries.Count() * 100), string.Format("Checking \"{0}\" for breaches", entry.Strings.ReadSafe(PwDefs.TitleField))));
                 if(entry.Strings.Get(PwDefs.PasswordField) == null || string.IsNullOrWhiteSpace(entry.Strings.ReadSafe(PwDefs.PasswordField)) || entry.Strings.ReadSafe(PwDefs.PasswordField).StartsWith("{REF:")) continue;
-                HttpResponseMessage response = null;
-                try
-                {
-                    response = await client.GetAsync(new Uri("https://haveibeenpwned.com/api/v2/pwnedpassword/" + string.Join("", sha.ComputeHash(entry.Strings.Get(PwDefs.PasswordField).ReadUtf8()).Select(x => x.ToString("x2")).ToArray())));
-                }
-                catch (Exception ex)
-                {
-                    throw ex;
-                }
-
-                if (response.IsSuccessStatusCode)
-                {
-                    allBreaches.Add(new HaveIBeenPwnedPasswordEntry(entry.Strings.ReadSafe(PwDefs.UserNameField), entry.GetUrlDomain(), entry));
-                }
-                else if (response.StatusCode != System.Net.HttpStatusCode.NotFound)
-                {
-                    MessageBox.Show(string.Format("Unable to check haveibeenpwned.com (returned Status: {0})", response.StatusCode), Resources.MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
-                }
-                // hibp has a rate limit of 1500ms
-                await Task.Delay(1600);
-            }
-            
-                        
+                var passwordHash = sha.ComputeHash(entry.Strings.Get(PwDefs.PasswordField).ReadUtf8()).Select(x => x.ToString("x2")).ToArray();
+            } */    
             return allBreaches;
         }
     }

HaveIBeenPwned/BreachCheckers/HaveIBeenPwnedPassword/HaveIBeenPwnedPasswordChecker.cs

@@ -77,11 +77,11 @@ public override bool Initialize(IPluginHost host)
             haveIBeenPwnedUsernameMenuItem.Click += this.CheckHaveIBeenPwnedUsernames;
             haveIBeenPwnedMenuItem.DropDown.Items.Add(haveIBeenPwnedUsernameMenuItem);
 
-            haveIBeenPwnedPasswordMenuItem = new ToolStripMenuItem();
+            /*haveIBeenPwnedPasswordMenuItem = new ToolStripMenuItem();
             haveIBeenPwnedPasswordMenuItem.Text = "Check for breaches based on password";
             haveIBeenPwnedPasswordMenuItem.Image = Resources.hibp.ToBitmap();
             haveIBeenPwnedPasswordMenuItem.Click += this.CheckHaveIBeenPwnedPasswords;
-            haveIBeenPwnedMenuItem.DropDown.Items.Add(haveIBeenPwnedPasswordMenuItem);
+            haveIBeenPwnedMenuItem.DropDown.Items.Add(haveIBeenPwnedPasswordMenuItem);*/
 
             tsMenu.Add(haveIBeenPwnedMenuItem);
 
@@ -94,10 +94,10 @@ public override void Terminate()
             ToolStripItemCollection tsMenu = pluginHost.MainWindow.ToolsMenu.DropDownItems;
             haveIBeenPwnedServiceMenuItem.Click -= this.CheckHaveIBeenPwnedSites;
             haveIBeenPwnedUsernameMenuItem.Click -= this.CheckHaveIBeenPwnedUsernames;
-            haveIBeenPwnedPasswordMenuItem.Click -= this.CheckHaveIBeenPwnedPasswords;
+            /*haveIBeenPwnedPasswordMenuItem.Click -= this.CheckHaveIBeenPwnedPasswords;*/
             haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedServiceMenuItem);
             haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedUsernameMenuItem);
-            haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedPasswordMenuItem);
+            /*haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedPasswordMenuItem);*/
             tsMenu.Remove(haveIBeenPwnedMenuItem);
             tsMenu.Remove(toolStripSeperator);
         }

HaveIBeenPwned/HaveIBeenPwnedExt.cs

@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.2.2.0")]
-[assembly: AssemblyFileVersion("1.2.2.0")]
+[assembly: AssemblyVersion("1.2.3.0")]
+[assembly: AssemblyFileVersion("1.2.3.0")]

HaveIBeenPwned/Properties/AssemblyInfo.cs

@@ -16,7 +16,9 @@
 * [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) - Checks the usernames of any entries against the Have I Been Pwned? list curated by Troy Hunt
 
 ### Password based
-* [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) - Checks the passwords of any entries against the Have I Been Pwned? list curated by Troy Hunt
+~~[Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) - Checks the passwords of any entries against the Have I Been Pwned? list curated by Troy Hunt~~
+
+**This checker is disabled in the current version of the plugin** as the HIBP password checking API requires passwords to only weakly-hashed. Although these hashes are encrypted in transit, this is still an insecure way of checking password breaches. A future updates should enable offline password breach checking. See https://github.com/andrew-schofield/keepass2-haveibeenpwned/issues/33 for reference.
 
 ## Usage
 

README.md

@@ -1,3 +1,3 @@
 :
-HaveIBeenPwned checker:1.2.2
+HaveIBeenPwned checker:1.2.3
 :