Merge pull request #34 from andrew-schofield/disable-unsafe-password-…

…check Disable unsafe password check
andrew-schofield · Oct 27, 2017 · 3f32f9e · 3f32f9e
2 parents b744c07 + 98bf390
commit 3f32f9e
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 32 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,8 @@
 # keepass2-haveibeenpwned Changelog
 
+### v1.2.3 - 2017-10-27
+* Temporarily disable the password check mode as it sends weakly hashed passwords (although encrypted) to HIBP.
+
 ### v1.2.2 - 2017-10-21
 * Alter the way developer extensions are referenced to prevent dependency on a specific version of KeePass
 

diff --git a/HaveIBeenPwned.plgx b/HaveIBeenPwned.plgx
diff --git a/HaveIBeenPwned/BreachCheckers/HaveIBeenPwnedPassword/HaveIBeenPwnedPasswordChecker.cs b/HaveIBeenPwned/BreachCheckers/HaveIBeenPwnedPassword/HaveIBeenPwnedPasswordChecker.cs
@@ -61,36 +61,15 @@ await Task.Run(() =>
         private async Task<List<HaveIBeenPwnedPasswordEntry>> GetBreaches(IProgress<ProgressItem> progressIndicator, IEnumerable<PwEntry> entries)
         {
             List<HaveIBeenPwnedPasswordEntry> allBreaches = new List<HaveIBeenPwnedPasswordEntry>();
-            int counter = 0;
+            /*int counter = 0;
             SHA1 sha = new SHA1CryptoServiceProvider();
             foreach (var entry in entries)
             {
                 counter++;
                 progressIndicator.Report(new ProgressItem((uint)((double)counter / entries.Count() * 100), string.Format("Checking \"{0}\" for breaches", entry.Strings.ReadSafe(PwDefs.TitleField))));
                 if(entry.Strings.Get(PwDefs.PasswordField) == null || string.IsNullOrWhiteSpace(entry.Strings.ReadSafe(PwDefs.PasswordField)) || entry.Strings.ReadSafe(PwDefs.PasswordField).StartsWith("{REF:")) continue;
-                HttpResponseMessage response = null;
-                try
-                {
-                    response = await client.GetAsync(new Uri("https://haveibeenpwned.com/api/v2/pwnedpassword/" + string.Join("", sha.ComputeHash(entry.Strings.Get(PwDefs.PasswordField).ReadUtf8()).Select(x => x.ToString("x2")).ToArray())));
-                }
-                catch (Exception ex)
-                {
-                    throw ex;
-                }
-
-                if (response.IsSuccessStatusCode)
-                {
-                    allBreaches.Add(new HaveIBeenPwnedPasswordEntry(entry.Strings.ReadSafe(PwDefs.UserNameField), entry.GetUrlDomain(), entry));
-                }
-                else if (response.StatusCode != System.Net.HttpStatusCode.NotFound)
-                {
-                    MessageBox.Show(string.Format("Unable to check haveibeenpwned.com (returned Status: {0})", response.StatusCode), Resources.MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
-                }
-                // hibp has a rate limit of 1500ms
-                await Task.Delay(1600);
-            }
-
-
+                var passwordHash = sha.ComputeHash(entry.Strings.Get(PwDefs.PasswordField).ReadUtf8()).Select(x => x.ToString("x2")).ToArray();
+            } */    
             return allBreaches;
         }
     }

diff --git a/HaveIBeenPwned/HaveIBeenPwnedExt.cs b/HaveIBeenPwned/HaveIBeenPwnedExt.cs
@@ -77,11 +77,11 @@ public override bool Initialize(IPluginHost host)
             haveIBeenPwnedUsernameMenuItem.Click += this.CheckHaveIBeenPwnedUsernames;
             haveIBeenPwnedMenuItem.DropDown.Items.Add(haveIBeenPwnedUsernameMenuItem);
 
-            haveIBeenPwnedPasswordMenuItem = new ToolStripMenuItem();
+            /*haveIBeenPwnedPasswordMenuItem = new ToolStripMenuItem();
             haveIBeenPwnedPasswordMenuItem.Text = "Check for breaches based on password";
             haveIBeenPwnedPasswordMenuItem.Image = Resources.hibp.ToBitmap();
             haveIBeenPwnedPasswordMenuItem.Click += this.CheckHaveIBeenPwnedPasswords;
-            haveIBeenPwnedMenuItem.DropDown.Items.Add(haveIBeenPwnedPasswordMenuItem);
+            haveIBeenPwnedMenuItem.DropDown.Items.Add(haveIBeenPwnedPasswordMenuItem);*/
 
             tsMenu.Add(haveIBeenPwnedMenuItem);
 
@@ -94,10 +94,10 @@ public override void Terminate()
             ToolStripItemCollection tsMenu = pluginHost.MainWindow.ToolsMenu.DropDownItems;
             haveIBeenPwnedServiceMenuItem.Click -= this.CheckHaveIBeenPwnedSites;
             haveIBeenPwnedUsernameMenuItem.Click -= this.CheckHaveIBeenPwnedUsernames;
-            haveIBeenPwnedPasswordMenuItem.Click -= this.CheckHaveIBeenPwnedPasswords;
+            /*haveIBeenPwnedPasswordMenuItem.Click -= this.CheckHaveIBeenPwnedPasswords;*/
             haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedServiceMenuItem);
             haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedUsernameMenuItem);
-            haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedPasswordMenuItem);
+            /*haveIBeenPwnedMenuItem.DropDown.Items.Remove(haveIBeenPwnedPasswordMenuItem);*/
             tsMenu.Remove(haveIBeenPwnedMenuItem);
             tsMenu.Remove(toolStripSeperator);
         }

diff --git a/HaveIBeenPwned/Properties/AssemblyInfo.cs b/HaveIBeenPwned/Properties/AssemblyInfo.cs
@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.2.2.0")]
-[assembly: AssemblyFileVersion("1.2.2.0")]
+[assembly: AssemblyVersion("1.2.3.0")]
+[assembly: AssemblyFileVersion("1.2.3.0")]
diff --git a/README.md b/README.md
@@ -16,7 +16,9 @@
 * [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) - Checks the usernames of any entries against the Have I Been Pwned? list curated by Troy Hunt
 
 ### Password based
-* [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) - Checks the passwords of any entries against the Have I Been Pwned? list curated by Troy Hunt
+~~[Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) - Checks the passwords of any entries against the Have I Been Pwned? list curated by Troy Hunt~~
+
+**This checker is disabled in the current version of the plugin** as the HIBP password checking API requires passwords to only weakly-hashed. Although these hashes are encrypted in transit, this is still an insecure way of checking password breaches. A future updates should enable offline password breach checking. See https://github.com/andrew-schofield/keepass2-haveibeenpwned/issues/33 for reference.
 
 ## Usage
 

diff --git a/VERSION b/VERSION
@@ -1,3 +1,3 @@
 :
-HaveIBeenPwned checker:1.2.2
+HaveIBeenPwned checker:1.2.3
 :
diff --git a/mono/HaveIBeenPwned.dll b/mono/HaveIBeenPwned.dll