How to use KeePass and HIBP Offline Checker to check passwords

What is HIBP Offline Check

HIBP Offline Check is an open source tool that merges the utility of the popular Have I Been Pwned service with the KeePass password manager. The objective is to show us if any personal key has been leaked after an attack or problem with any service where we are registered.

Basically it is an extension that we can install in KeePass. Have I Been Pwned is an Internet service where the passwords that have been leaked on the network appear. It is very useful, since anyone can check if any personal key has ended up in the wrong hands. For example after an attack on a known service or a security breach. It is completely free and accessible to everyone.

HIBP Offline Check uses that database , but it acts as a plugin that we can install directly on KeePass. It is a popular password manager that we can use on different operating systems and even has a version for the browser, such as Google Chrome or Mozilla Firefox.

This extension came about after Collection #1 and subsequent ones were released. It was an 87 GB database with no less than 22 million unique passwords that had been leaked on the network. In total there were five similar databases, which had a very large international scope.

To make it easier to check passwords that might have been leaked on the network, HIBP Offline Check was introduced. This way you can use KeePass to make the whole process easier.

Steps to find leaked keys with KeePass

We are going to explain the necessary steps to be able to install the HIBP Offline Check plugin in KeePass and thus be able to check if our passwords have been leaked at any time. Basically we are going to have to install KeePass and then add that extension.

Have KeePass

The first essential is to have KeePass installed. If you don’t have it installed, you can download it from its official website. There you will find the different versions available, depending on the operating system. We can use it on Windows, as well as Linux or macOS.

It is important to always have the latest version installed. This will allow it to work as well as possible, but also correct possible security flaws that may affect us. At the end of the day, here we are going to trust our passwords and it is essential that it works as well as possible.

Download HIBP Offline Check

Once we have KeePass ready, the next thing we have to do is download HIBP Offline Check . We can do it from GitHub. You simply have to download the application and install it on your Windows computer.

This first step will link KeePass with HIBP Offline Check and we will be able to continue with the process for our final objective, which is to be able to check possible passwords that have been leaked on the Internet and that we must change as soon as possible to avoid problems.

Configure the extension

The next step is to configure the extension to be able to check the keys . We open the Tools menu and choose HIBP Offline Check. A window will appear as we can see in the image below.

In the event that we have a password database downloaded to our computer, we have to select check mode offline . This will allow us to compare our passwords without having to connect to the Internet and thus see if it is part of the Collection databases.

However, to be able to use that function we are going to have to download the entire database, something that occupies more than 20 GB. Therefore, the best option for many may be to use online check mode and check passwords directly in Have I Been Pwned through its API. We can also give a name to the column that will display the plugin and the default message.

Configure the columns

The next thing will be to show the HIBP Offline Check column in the list of passwords. To do this, select the View menu and click on Configure Columns . You have to enable the Have I Been Pwned column.

As we can see, what the extension does is automatically check the passwords and it will tell us if it is safe or if it has been leaked within a known database. We will even be able to see the number of times that key is repeated in all the databases, so we will see if it is an isolated case or if we are using very repeated passwords.

Therefore, by following these steps we can see, thanks to KeePass and the HIBP Offline Check extension, if our passwords have been leaked. This will help us take action as soon as possible to prevent intruders on our social networks, email or any other services we use.

What to do if passwords have been leaked

But what should we do if we see that the passwords have been leaked? Logically we must take action as soon as possible and thus reduce the risk of problems. If when analyzing the passwords we see the message Secure , it means that they are safe and there is no problem with them. However, this does not guarantee that our key has not been stolen by other means.

If the Pwned message appears, it means that the access key has been leaked. That is when, especially, we are going to have to take action. The first thing is to change the password as soon as possible. We can even use the KeePass key manager to generate a fully secure key that meets the recommended requirements.

There are more options to generate strong passwords like Qey key manager. It is a quantum generator that allows you to use passwords that are as secure as possible, totally random and unique.

But beyond changing the password, we should also enable two-factor authentication whenever possible. This will add an extra layer of security, something that will come in handy in order to protect our accounts on social networks or any online service that we use.

In short, with this extension for KeePass you will be able to check if your passwords have been leaked or not. It is a very useful option, since it has an extensive database where you can compare the keys. In case you see that you have been the victim of a leak, you should act as soon as possible and change the passwords.