sts10 / medic Goto Github PK

In the spirit of free software and copyleft, I'm considering re-licensing the next version of Medic under the Mozilla Public License v2.0, a "weak" copyleft license.

Curious if anyone out there has thoughts!

Currently, Medic can accept a list of SHA1 hashes to check against the given KeePass database's passwords.

Wondering if it would be useful if, through a different flag/option, Medic could take a file of actual, non-hashed passwords; which users might have. Should be pretty easy to implement...

Write tests for following possible cases:

• no file extension on given keepass database
• "corrupted" DB
• fail to open db for other reason
• A KeePass entry that has no title

Next, make sure that, whether the new tests pass or fail, the program itself handles these cases (relatively) well!

Specifically in lib.rs.

For example:

• Consider replacing the unwraps with real error-handling tools, such as eprintln!, expect, or unwrap_or_else
• Specifically: Consider changing the output of get_entries function to a Result to make error handling more natural.
• More broadly, figure out the best place in the "chain" of functions to handle errors. Where do the turtles end? Every unwrap should be a question: What should happen if the provided file has no file extension, etc. (Reference 1; reference 2)

Medic has been designed to take hash data from HaveIBeenPwned. However, HIBP doesn't seem to be releasing hash lists for download anymore.

Perhaps Medic can be altered to also work well with Hashmob data as well, as an alternative.

Some relevant links

• https://hashmob.net/hashlists/official
• https://hashmob.net/resources/information

Write a test that reads a CSV export of a KeePass database, testing with lowercase, uppercase, and "mixed-case" file extensions. There's one such CSV export in the test files directory already!

Currently, for convenience, this tool allows users to check the passwords of a KeePass database against the HaveIBeenPwned Pwned Passwords list. Users can perform this check in one of two ways:

1. ONLINE HIBP Check

This tool takes the first 5 characters of the hash of a password, and sends it to HaveIBeenPwned servers via the service's API. A number of potential matches come back, at which point the tool searches for an exact match (which would indicate an exposed password). As explained in the API documentation:

When a password hash with the same first 5 characters is found in the Pwned Passwords repository, the API will respond with an HTTP 200 and include the suffix of every hash beginning with the specified prefix, followed by a count of how many times it appears in the data set. The API consumer can then search the results of the response for the presence of their source hash and if not found, the password does not exist in the data set.

Note: I currently force users to give explicit permission to perform this check:

println!("\n\nHeads up! I'll be sending the first 5 characters of the hashes of your passwords over the internet to HaveIBeenPwned. \nType allow to allow this");
if gets().unwrap() == "allow" {
    println!("Cool, I'll check your KeePass passwords over the internet now...\n");
    // ...

2. OFFLINE HIBP Check

The tool also allows users to perform this check entirely offline, however the user must first download the ~11GB exposed passwords list themselves, then provide that text file to this tool so it can do the check. To execute this procedure, this tool does not need to connect to the internet.

For a variety of reasons, the OFFLINE method is more secure. Even though the ONLINE method only sends 5 characters of a hash of user passwords, that's still more than nothing.

Thus I'm thinking of removing the ONLINE option (option 2). This way the entire tool never connects to the internet, which would be more in line with how KeePassXC, a commonly used application for interacting with KeePass databases, works by default (except features like "Download favicon").

I could even put a "paranoid" check in place such that tool can't open a KeePass database if it's able to connect to the internet, forcing the user to disable their internet connection in order to use the tool at all.

Questions

What do you think? Should I offer the ONLINE check at all? Make it harder to access somehow?

Are you less likely to use this tool because there's an option to send 5 characters of your passwords' hashes over the internet? Does removing that feature in order to allay these security concerns provide a net benefit that outweighs the usefulness of the online check?

Happen to spot this blog post on efficiently searching Pwned Password data. Wonder if we can incorporate any of it in Medic.