Have my LastPass passwords been pwned?07 Feb 2019
“You’re one of 772,904,991 people pwned in the Collection #1 data breach”… Many of us have received an email with this subject line from Troy Hunt’s Have I Been Pwned service about 3 weeks ago. By design, that service doesn’t tell you exactly which account(s) or password(s) of yours have been pwned, you’ll need to find out yourself.
I keep most of my passwords in LastPass and I was wondering which ones might have been part of Collection #1. Unfortunately, unlike its main competitor 1Password, LastPass does not check passwords against HIBP service. One would need to do that on their own. Fortunately, this is not difficult to automate. As a matter of fact, somebody wrote this tool to check LastPass passwords against HIBP’s wonderful REST API. It works well and is pretty fast, too.
However, I decided to try and see whether I could write something similar to check my passwords against a local pwned password list. The result is on GitHub. The program is performing a simple compare of two ordered lists (LastPass passwords vs. HIBP password list), so it doesn’t really matter whether you have 10 passwords, 1 thousand passwords or 1 million passwords - the processing takes virtually the same amount of time. I get around 3 minutes on my laptop.