Check 1Password passwords against havibeenpwned.com password database.

1passwordpwnedcheck.sh

#!/bin/bash

########################################################################################
# 1passwordpwnedcheck.sh - script to check 1password entries against known compromised 
# passwords from haveibeenpwned.com
#
# Requirements: 
#   1password CLI tool - https://app-updates.agilebits.com/product_history/CLI
#   jq json parser - https://stedolan.github.io/jq/
#
# Resources:
#   https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
#   https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
#   https://gist.github.com/IcyApril/56c3fdacb3a640f37c245e5813b98b99
########################################################################################


echo "Checking 1Password items against haveibeenpwned.com password list."
echo "Be patient, this might take a while."

item_uuids=$(op list items | jq -c -r '.[].uuid')

pwnd_count=0

for uuid in ${item_uuids}; do

    _checkhash(){
        hash="$(echo -n ${1}| openssl sha1)"
        upperCase="$(echo $hash | tr '[a-z]' '[A-Z]')"
        prefix="${upperCase:0:5}"
        response=$(curl -s https://api.pwnedpasswords.com/range/$prefix)
        while read -r line; do
          lineOriginal="$prefix$line"
          if [ "${lineOriginal:0:40}" == "$upperCase" ]; then
              title=$(_gettitle $uuid)
              echo "Oh no! $title password pwned! You should probably change that one."
              (( pwnd_count += 1 ))
          fi
        done <<< "$response"
    }

    _gettitle(){
        echo "$(op get item ${1} | jq -r '.overview.title?')"
    }

    pwd=$(op get item $uuid | jq -r '.details.fields[] | select(.designation == "password")|.value?' 2> /dev/null)
    _checkhash "$pwd"
done

if [ $pwnd_count -eq 0 ]; then
    echo "Good news! No pwnd passwords found!"
else
    echo "Done. You have $pwnd_count passwords that need changing."
fi

exit 0