Password on Janik von Rotz https://janikvonrotz.ch/tags/password/ Recent content in Password on Janik von Rotz Hugo en Mon, 13 Apr 2026 08:26:08 +0200 Migrate From Pass to KeepassXC https://janikvonrotz.ch/2026/04/13/migrate-from-pass-to-keepassxc/ Mon, 13 Apr 2026 08:26:08 +0200 https://janikvonrotz.ch/2026/04/13/migrate-from-pass-to-keepassxc/ <p>In 2017 I <a href="https://janikvonrotz.ch/2017/07/24/migrate-keepass-to-pass/">migrated from KeePass to Pass</a> and now migrated back to KeePassXC. For almost 9 years I was a happy <a href="https://www.passwordstore.org/">pass</a> user. It still does a very good job and keeping password management simple. But setting up pass on a new device was always a bit difficult.</p> <p>Whenever I wanted to access my passwords on a new deceive I had to:</p> <ul> <li>Get ssh key to clone the pass repo</li> <li>Import the pgp key to access the pass repo</li> </ul> <p>Moreover, I missed two essential features:</p> <ul> <li>Browser-Plugin</li> <li>Passkey support</li> </ul> <p>And KeePassXC supports both of these cases. In addition I already used KeePassXC:</p> <ul> <li>To store and load my ssh key</li> <li>As password management for my company</li> </ul> <h3 id="export">Export</h3> <p>There were over 400 entries in my pass store. A manual migration was out of question. I created script that parsed the pass entries and handled the following cases:</p> <ul> <li>OTP entries</li> <li>Fallback to default username</li> <li>Escaping strings</li> <li>Process additional fields</li> </ul> <p>And here is the script / bash function:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>export-keepass-csv<span style="color:#f92672">()</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> test -z <span style="color:#e6db74">&#34;</span>$1<span style="color:#e6db74">&#34;</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;\$1 is empty.&#34;</span> &gt;&amp;<span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> OUTPUT_FILE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$1<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> PASS_DIR<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>PASSWORD_STORE_DIR<span style="color:#66d9ef">:-</span>$HOME/.password-store<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Validate PASS_DIR exists</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">[[</span> ! -d <span style="color:#e6db74">&#34;</span>$PASS_DIR<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;Error: Password store directory not found: </span>$PASS_DIR<span style="color:#e6db74">&#34;</span> &gt;&amp;<span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Header (already properly quoted)</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#39;&#34;Group&#34;,&#34;Title&#34;,&#34;Username&#34;,&#34;Password&#34;,&#34;URL&#34;,&#34;Notes&#34;,&#34;TOTP&#34;&#39;</span> &gt; <span style="color:#e6db74">&#34;</span>$OUTPUT_FILE<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Use process substitution to avoid subshell</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">while</span> read -r FILE; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;Parse pass file: </span><span style="color:#e6db74">${</span>FILE#$PASS_DIR/<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> REL_PATH<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>FILE#$PASS_DIR/<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> REL_PATH<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>REL_PATH%.gpg<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> GROUP<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;Root/Pass/</span><span style="color:#66d9ef">$(</span>dirname $REL_PATH<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> FOLDER<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>dirname <span style="color:#e6db74">&#34;</span>$GROUP<span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> TITLE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>basename <span style="color:#e6db74">&#34;</span>$REL_PATH<span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> ENTRY<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>pass show <span style="color:#e6db74">&#34;</span>$REL_PATH<span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Extract password (first line)</span> </span></span><span style="display:flex;"><span> PASSWORD<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$ENTRY<span style="color:#e6db74">&#34;</span> | head -n1<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Initialize fields</span> </span></span><span style="display:flex;"><span> USERNAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> URL<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;https://</span>$TITLE<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> NOTES<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> TOTP<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Parse additional key-value lines (skip first line)</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">while</span> IFS<span style="color:#f92672">=</span> read -r LINE; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">case</span> <span style="color:#e6db74">&#34;</span>$LINE<span style="color:#e6db74">&#34;</span> in </span></span><span style="display:flex;"><span> username:*<span style="color:#f92672">)</span> USERNAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>LINE#username: <span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> ;; </span></span><span style="display:flex;"><span> Username:*<span style="color:#f92672">)</span> USERNAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>LINE#Username: <span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> ;; </span></span><span style="display:flex;"><span> notes:*<span style="color:#f92672">)</span> NOTES<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>LINE#notes: <span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> ;; </span></span><span style="display:flex;"><span> Notes:*<span style="color:#f92672">)</span> NOTES<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>LINE#Notes: <span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> ;; </span></span><span style="display:flex;"><span> url:*<span style="color:#f92672">)</span> URL<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>LINE#url: <span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> ;; </span></span><span style="display:flex;"><span> Url:*<span style="color:#f92672">)</span> URL<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>LINE#Url: <span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> ;; </span></span><span style="display:flex;"><span> totp:*<span style="color:#f92672">)</span> TOTP<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>LINE#totp: <span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> ;; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">esac</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">done</span> <span style="color:#f92672">&lt;&lt;&lt;</span> <span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s\n&#39;</span> <span style="color:#e6db74">&#34;</span>$ENTRY<span style="color:#e6db74">&#34;</span> | tail -n +2<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># If password starts with otpauth://, extract the secret and set as TOTP</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">[[</span> <span style="color:#e6db74">&#34;</span>$PASSWORD<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">==</span> otpauth://* <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Extract secret from otpauth URL using query parameter parsing</span> </span></span><span style="display:flex;"><span> SECRET<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>echo <span style="color:#e6db74">&#34;</span>$PASSWORD<span style="color:#e6db74">&#34;</span> | sed -n <span style="color:#e6db74">&#39;s/.*secret=\([^&amp;]*\).*/\1/p&#39;</span> | tr <span style="color:#e6db74">&#39;[:lower:]&#39;</span> <span style="color:#e6db74">&#39;[:upper:]&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">[[</span> -n <span style="color:#e6db74">&#34;</span>$SECRET<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> TOTP<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$SECRET<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Use fallback username based on folder</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">[[</span> <span style="color:#e6db74">&#34;</span>$USERNAME<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;&#34;</span> <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">[[</span> <span style="color:#e6db74">&#34;</span>$FOLDER<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">==</span> *<span style="color:#e6db74">&#34;private&#34;</span>* <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> USERNAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$FALLBACK_USERNAME_private<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">elif</span> <span style="color:#f92672">[[</span> <span style="color:#e6db74">&#34;</span>$FOLDER<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">==</span> *<span style="color:#e6db74">&#34;mint-system&#34;</span>* <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> USERNAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$FALLBACK_USERNAME_mint_system<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">elif</span> <span style="color:#f92672">[[</span> <span style="color:#e6db74">&#34;</span>$FOLDER<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">==</span> *<span style="color:#e6db74">&#34;sozialinfo&#34;</span>* <span style="color:#f92672">]]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> USERNAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$FALLBACK_USERNAME_sozialinfo<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Function to escape double quotes and wrap in quotes for CSV</span> </span></span><span style="display:flex;"><span> PASSWORD_CSV<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$PASSWORD<span style="color:#e6db74">&#34;</span> | sed <span style="color:#e6db74">&#39;s/&#34;/&#34;&#34;/g; s/.*/&#34;&amp;&#34;/&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> USERNAME_CSV<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$USERNAME<span style="color:#e6db74">&#34;</span> | sed <span style="color:#e6db74">&#39;s/&#34;/&#34;&#34;/g; s/.*/&#34;&amp;&#34;/&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> NOTES_CSV<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$NOTES<span style="color:#e6db74">&#34;</span> | sed <span style="color:#e6db74">&#39;s/&#34;/&#34;&#34;/g; s/.*/&#34;&amp;&#34;/&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> TOTP_CSV<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$TOTP<span style="color:#e6db74">&#34;</span> | sed <span style="color:#e6db74">&#39;s/&#34;/&#34;&#34;/g; s/.*/&#34;&amp;&#34;/&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># URL is usually safe, but still escape if needed</span> </span></span><span style="display:flex;"><span> URL_CSV<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$URL<span style="color:#e6db74">&#34;</span> | sed <span style="color:#e6db74">&#39;s/&#34;/&#34;&#34;/g; s/.*/&#34;&amp;&#34;/&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Group and Title should also be escaped</span> </span></span><span style="display:flex;"><span> GROUP_CSV<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$GROUP<span style="color:#e6db74">&#34;</span> | sed <span style="color:#e6db74">&#39;s/&#34;/&#34;&#34;/g; s/.*/&#34;&amp;&#34;/&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> TITLE_CSV<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%s&#39;</span> <span style="color:#e6db74">&#34;</span>$TITLE<span style="color:#e6db74">&#34;</span> | sed <span style="color:#e6db74">&#39;s/&#34;/&#34;&#34;/g; s/.*/&#34;&amp;&#34;/&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Write to CSV</span> </span></span><span style="display:flex;"><span> printf <span style="color:#e6db74">&#39;%s,%s,%s,%s,%s,%s,%s\n&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;</span>$GROUP_CSV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;</span>$TITLE_CSV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;</span>$USERNAME_CSV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;</span>$PASSWORD_CSV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;</span>$URL_CSV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;</span>$NOTES_CSV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;</span>$TOTP_CSV<span style="color:#e6db74">&#34;</span> &gt;&gt; <span style="color:#e6db74">&#34;</span>$OUTPUT_FILE<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">done</span> &lt; &lt;<span style="color:#f92672">(</span>find <span style="color:#e6db74">&#34;</span>$PASS_DIR<span style="color:#e6db74">&#34;</span> -name <span style="color:#e6db74">&#34;*.gpg&#34;</span> ! -name <span style="color:#e6db74">&#34;.gpg&#34;</span> -print<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;All pass entries exported to </span>$OUTPUT_FILE<span style="color:#e6db74">.&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span></code></pre></div><p>Note that this bash function was added to a <a href="https://taskfile.build/">task script</a> and called with <code>./task export-keepass-csv</code> in context of the <code>.password-store</code> folder.</p> <p>I am quite happy with the decision to go back using KeePass. The browser plugin and the passkey support are a great help.</p> Store Passkeys in KeePassXC https://janikvonrotz.ch/2025/07/04/store-passkeys-keepassxc/ Fri, 04 Jul 2025 08:04:42 +0200 https://janikvonrotz.ch/2025/07/04/store-passkeys-keepassxc/ <hr> <p>The goal of Passkeys is to replace passwords.</p> <p>The idea is that instead of remembering a password and entering it to access your account, you own a device that generates a password for you.</p> <p>Remembering is replaced with Owning.</p> <p>In this post, I&rsquo;ll give an example of such a device and how you can create and store a Passkey securely.</p> <h2 id="yubikey">YubiKey</h2> <p>A device that can be used as a Passkey is the <a href="https://en.wikipedia.org/wiki/YubiKey">YubiKey</a>. Setting it up is actually quite simple. In this example, we have an online account and are going to set up the Passkey. In the security settings of the online account, I click <em>Add Passkey</em>, and the browser prompts for an input:</p> <p><img src="https://janikvonrotz.ch/images/browser%20prompt%20passkey.png" alt=""></p> <p>The YubiKey is plugged in, I touch the YubiKey, and the device is registered. That&rsquo;s it. From now on, when I log into my account, as a login option, I can choose Passkey. The browser prompts for the input, I touch the YubiKey, and get logged in.</p> <p>However, at this point, you might ask: What happens when I lose the YubiKey? Can I make a backup of the key?</p> <p>The short answer is: You cannot create a backup of a YubiKey.</p> <p>So, the YubiKey might not be the best solution to use as a Passkey. Luckily, there are other providers and devices to manage a Passkey.</p> <h2 id="keepassxc">KeePassXC</h2> <p>Here, I will show you how you can create and store a Passkey with <a href="https://keepassxc.org/">KeePassXC</a>.</p> <ul> <li>Install KeePassXC</li> <li>Set up a password database</li> <li>In the settings, enable the browser integration and select your browser</li> <li>Install the KeePassXC browser extension</li> <li>Connect the extension to your KeePassXC database</li> <li>Enable the <em>Passkeys</em> option in the KeePassXC browser extension settings</li> <li>Optionally, set the <em>Default group for saving new passkeys</em> field</li> </ul> <p><img src="https://janikvonrotz.ch/images/KeePassXC%20Browser%20Extension%20Passkeys.png" alt=""></p> <p>You may need to restart your browser for the changes to take effect. When you register a new Passkey for your account, the KeePassXC extension will open the KeePassXC database locally and show this dialog:</p> <p><img src="https://janikvonrotz.ch/images/KeePassXC%20Passkey%20Register.png" alt=""></p> <p>You can click <em>Register</em>, and then you&rsquo;ll find a Passkey entry in your KeePassXC database.</p> <p>Logging into your account with a Passkey is simple. Select the Passkey option, and the KeePassXC extension will find a matching entry and prompt to authenticate.</p> <p><img src="https://janikvonrotz.ch/images/KeePassXC%20Authentication.png" alt=""></p> <p>Click <em>Authenticate</em>, and you should be logged in.</p> <p>The KeePassXC database can be backed up, and while Passkey entries can technically be exported, it&rsquo;s crucial to understand the security implications before doing so.</p> <h2 id="recommendations">Recommendations</h2> <p>When registering a Passkey for your account, I recommend using both KeePassXC and YubiKey. The main reason is the mobile browser of your smartphone. Setting up the KeePassXC Passkey solution on your smartphone is currently not possible (as far as I know).</p> <p>The YubiKey can be plugged into the smartphone&rsquo;s USB-C port and used to authenticate with any mobile browser. Here is a simple webpage that shows Passkey device and browser compatibility: <a href="https://www.passkeys.io/compatible-devices">https://www.passkeys.io/compatible-devices</a></p> Using pass in teams https://janikvonrotz.ch/2018/04/03/using-pass-in-teams/ Tue, 03 Apr 2018 08:29:22 +0000 https://janikvonrotz.ch/2018/04/03/using-pass-in-teams/ <h1 id="introduction">Introduction</h1> <p><a href="https://www.passwordstore.org/">Pass</a> is the standard password manager for Unix systems. It follows the <a href="http://en.wikipedia.org/wiki/Unix_philosophy">Unix philosophy</a>.</p> <p>Pass saves passwords in text files and encrypts them using a gpg key. The folder structure containing the encrypted files is the pass store. Sharing a pass store without handing over the gpg key requires a gpg key exchange. Git is integrated into the pass <a href="https://en.wikipedia.org/wiki/Command-line_interface">cli</a> and is used as version control system.</p> <p>This document is a guideline for users which require access to a shared pass store and is also a documentation of how to set up a shared pass store. The first part elaborates the process of creating a shared pass store and the second part shows how collaboration from the perspective of a user looks like.</p> <h2 id="variables">Variables</h2> <p>In the document you will find different variables starting and ending with <strong>_</strong> underscore. Below is a description of what those variables mean.</p> <pre><code>$PROJECT_NAME: A unique name for the shared pass store folder. $GIT_REMOTE_URL_: Remote url of the shared pass store git repository. $PERSONAL_MAIL: Personal mail address which is used as gpg key id. $TEAM_MAIL: Shared team mail address which is used for the shared gpg key id. </code></pre> <h1 id="setup-a-shared-pass-store">Setup a shared pass store</h1> <p>Install pass using the package manager of your choice and setup a new personal store.</p> <p>Install pass using yum.<br> <code>yum install pass</code></p> <p>If you do not have a personal gpg key, create one. Make sure to set a correct mail address.<br> <code>gpg --gen-key</code></p> <p>Initialize a personal pass store.<br> <code>pass init $PERSONAL_MAIL</code></p> <p>Passwords are encrypted with a gpg key. In a team environment the gpg key should not impersonate somebody but rather the team itself. That is why a new gpg key is required.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>gpg --gen-key </span></span><span style="display:flex;"><span><span style="color:#75715e"># Real name:</span> </span></span><span style="display:flex;"><span>&gt; $TEAM_MAIL </span></span><span style="display:flex;"><span><span style="color:#75715e"># Email address:</span> </span></span><span style="display:flex;"><span>&gt; $TEAM_MAIL </span></span><span style="display:flex;"><span><span style="color:#75715e"># Confirm</span> </span></span><span style="display:flex;"><span>&gt; O </span></span><span style="display:flex;"><span><span style="color:#75715e"># Enter the password</span> </span></span><span style="display:flex;"><span>&gt; _PASSWORD_ </span></span></code></pre></div><p>Create a new pass store in a subfolder.<br> <code>pass init -p $PROJECT_NAME $TEAM_MAIL</code></p> <p>Add the gpg test password to the new store.<br> <code>pass generate $PROJECT_NAME/sharedpass 20</code></p> <p>Setup a git repo for the shared pass store.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/.password-store/$PROJECT_NAME </span></span><span style="display:flex;"><span>git init </span></span><span style="display:flex;"><span>git add . </span></span><span style="display:flex;"><span>git commit -m <span style="color:#e6db74">&#34;Init </span>$PROJECT_NAME<span style="color:#e6db74"> password store&#34;</span> </span></span><span style="display:flex;"><span>git remote add origin $GIT_REMOTE_URL_ </span></span><span style="display:flex;"><span>git push --set-upstream origin master </span></span></code></pre></div><p>Add the gpg public key to the store.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir .gpg-keys </span></span><span style="display:flex;"><span>gpg --output .gpg-keys/$TEAM_MAIL.gpg --export $TEAM_MAIL </span></span><span style="display:flex;"><span>git add $TEAM_MAIL.gpg </span></span><span style="display:flex;"><span>git commit -m <span style="color:#e6db74">&#34;Add </span>$TEAM_MAIL<span style="color:#e6db74"> public key&#34;</span> </span></span><span style="display:flex;"><span>git push </span></span></code></pre></div><p>The remote repo can be cloned as a subfolder into the existing pass store folders. Git will treat the subfolder as a git submodule.</p> <h1 id="request-access-to-shared-pass-store">Request access to shared pass store</h1> <p>In the following steps we assume that another member of the team requires access to the shared pass store.</p> <p>Clone the shared pass store repository.<br> <code>git clone $GIT_REMOTE_URL_ ~/.password-store/$PROJECT_NAME</code></p> <p>The shared pass store is now available as subfolder to your personal pass store. If you have enabled git for the personal pass store the subfolder will be treated as git submodule. Changes in the shared pass store will not affect your personal store.</p> <p>In order to be able to decrypt the passwords in the shared pass store, the store key must be signed by the personal gpg key.</p> <p>List your gpg keys.<br> <code>gpg --list-key</code></p> <p>Add the personal key to the shared pass store.<br> <code>echo &quot;$PERSONAL_MAIL&quot; &gt;&gt; ~/.password-store/$PROJECT_NAME/.gpg-id</code></p> <p>And export the public gpg key.<br> <code>gpg --output ~/.password-store/$PROJECT_NAME/.gpg-keys/$PERSONAL_MAIL.gpg --export $PERSONAL_MAIL</code></p> <p>Then submit a request by committing the gpg id.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/.password-store/$PROJECT_NAME </span></span><span style="display:flex;"><span>git add . </span></span><span style="display:flex;"><span>git commit -m <span style="color:#e6db74">&#34;Request access for </span>$PERSONAL_MAIL<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span>git push </span></span></code></pre></div><p>The receiver of this request is the owner of the shared pass store signer key <code>$TEAM_MAIL</code>.</p> <h1 id="grant-access-to-users">Grant access to users</h1> <p>The owner of the signer key must sign all keys of new team members.</p> <p>First import the new keys.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/.password-store/$PROJECT_NAME/.gpg-keys </span></span><span style="display:flex;"><span>gpg --import $PERSONAL_MAIL.gpg </span></span></code></pre></div><p>Then sign the imported key.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>gpg --local-user $TEAM_MAIL --sign-key $PERSONAL_MAIL </span></span><span style="display:flex;"><span>gpg --edit-key $PERSONAL_MAIL </span></span><span style="display:flex;"><span><span style="color:#75715e"># Confirm</span> </span></span><span style="display:flex;"><span>&gt; y </span></span><span style="display:flex;"><span><span style="color:#75715e"># enter the passphrase for $TEAM_MAIL</span> </span></span><span style="display:flex;"><span>&gt; save </span></span></code></pre></div><p>Reinitialize the password store.<br> <code>pass init -e -p $PROJECT_NAME $(cat ~/.password-store/$PROJECT_NAME/.gpg-id)</code></p> <p>Push the changes.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/.password-store/$PROJECT_NAME </span></span><span style="display:flex;"><span>git push </span></span></code></pre></div><p>The user should now be able the decrypt the password using the <code>$PERSONAL_MAIL</code> key.</p> <h1 id="contribute-to-a-shared-pass-store">Contribute to a shared pass store</h1> <p>New password insertions must be encrypted with the <code>$TEAM_MAIL</code> gpg key.</p> <p>The gpg key can be imported from the shared pass folder.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd ~/.password-store/$PROJECT_NAME/.gpg-keys </span></span><span style="display:flex;"><span>gpg --import $TEAM_MAIL.gpg </span></span></code></pre></div><p>In order to encrypt new pass entries, you must trust the key.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>gpg --edit-key $TEAM_MAIL.gpg </span></span><span style="display:flex;"><span>&gt; trust </span></span><span style="display:flex;"><span>&gt; <span style="color:#ae81ff">5</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># exit the cli</span> </span></span></code></pre></div><p>Now you can start creating new entries using the <a href="https://git.zx2c4.com/password-store/about/">pass cli</a>.</p> <h1 id="notes">Notes</h1> <p>If there is a gpg registry you can obtain the public keys from there. There would be no need to exchange public key as files.</p> <h1 id="updates">Updates</h1> <p><em>2019-10-16 Edit: Renamed the variables with a &lsquo;$&rsquo; prefix. Ensuring bash compatiblity.</em><br> <em>2019-10-16 Edit: Updated guide for latest pass version.</em></p> <h1 id="sources">Sources</h1> <p><a href="https://www.passwordstore.org">Official pass homepage</a></p> <p><a href="https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592">Medium - Using pass in a team</a></p> XKCD PowerShell password generator https://janikvonrotz.ch/2017/08/11/xkcd-powershell-password-generator/ Fri, 11 Aug 2017 13:04:45 +0000 https://janikvonrotz.ch/2017/08/11/xkcd-powershell-password-generator/ <blockquote> <p>Through 20 ears of effort, we&rsquo;ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.</p> </blockquote> <p>If you are a <a href="https://news.ycombinator.com/">Hacker News</a> binge reader such as me, you might have read this article: <a href="http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987">The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time</a>.</p> <p>This article reminded my of how stupid current password guidelines are and that we need to change that. A few months ago I wrote a random <a href="https://janikvonrotz.ch/2015/09/07/password-generator-with-powershell/">password generator function</a> and decided that it needs an update to make the generated passwords more memorable.</p> <p>Inspiration for the new random password was the following XKCD comic:</p> <p><img src="https://janikvonrotz.ch/wp-content/uploads/2017/08/password_strength.png" alt="Untitled"></p> <p>So instead of using any kind of character for the password, simply put four random words together. To create this kind of password we need a word list with common nouns. I&rsquo;ve created a german and english word list for you to download:</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2017/08/wordlist.de_.txt">wordlist.de.txt</a> <a href="https://janikvonrotz.ch/wp-content/uploads/2017/08/wordlist.en_.txt">wordlist.en.txt</a></p> <p><strong>Get-XKCDPassword.ps1</strong></p> <p>And here is the PowerShell function:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#66d9ef">function</span> Get-XKCDPassword { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">Param</span>( </span></span><span style="display:flex;"><span> [<span style="color:#66d9ef">int</span>]$words = <span style="color:#ae81ff">4</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [<span style="color:#66d9ef">string</span>]$delimiter = <span style="color:#e6db74">&#34;-&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [ValidateSet(<span style="color:#e6db74">&#34;en&#34;</span>,<span style="color:#e6db74">&#34;de&#34;</span>)] </span></span><span style="display:flex;"><span> [<span style="color:#66d9ef">string</span>]$lang = <span style="color:#e6db74">&#34;en&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [<span style="color:#66d9ef">switch</span>]$FirstLetterUpperCase </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $password = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> $wordlist = @{ </span></span><span style="display:flex;"><span> de = <span style="color:#e6db74">&#34;/wp-content/uploads/2017/08/wordlist.de_.txt&#34;</span> </span></span><span style="display:flex;"><span> en = <span style="color:#e6db74">&#34;/wp-content/uploads/2017/08/wordlist.en_.txt&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">switch</span>($words) { </span></span><span style="display:flex;"><span> {$_ <span style="color:#f92672">-ge</span> <span style="color:#ae81ff">6</span> } { <span style="color:#66d9ef">throw</span> <span style="color:#e6db74">&#34;Word parameter cannot be greater or equal 6.&#34;</span> } </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">5</span> { $range = (<span style="color:#ae81ff">3</span>,<span style="color:#ae81ff">4</span>) } </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">4</span> { $range = (<span style="color:#ae81ff">4</span>,<span style="color:#ae81ff">5</span>) } </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">3</span> { $range = (<span style="color:#ae81ff">5</span>,<span style="color:#ae81ff">6</span>) } </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">2</span> { $range = (<span style="color:#ae81ff">7</span>,<span style="color:#ae81ff">8</span>) } </span></span><span style="display:flex;"><span> {$_ <span style="color:#f92672">-le</span> <span style="color:#ae81ff">1</span> } { <span style="color:#66d9ef">throw</span> <span style="color:#e6db74">&#34;Word parameter cannot be less or equal 1.&#34;</span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $list = (((Invoke-WebRequest $wordlist[$lang]).Content -split <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> | ForEach-Object{ </span></span><span style="display:flex;"><span> New-Object PSObject -Property @{ </span></span><span style="display:flex;"><span> Value = $_.ToLower() </span></span><span style="display:flex;"><span> Length=$_.length </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }) | Where-Object { ($_.Length <span style="color:#f92672">-eq</span> ($range[<span style="color:#ae81ff">0</span>] + <span style="color:#ae81ff">1</span>)) <span style="color:#f92672">-or</span> ($_.Length <span style="color:#f92672">-eq</span> ($range[<span style="color:#ae81ff">1</span>] + <span style="color:#ae81ff">1</span>)) }) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">1</span>..$words | ForEach-Object { </span></span><span style="display:flex;"><span> $part = (Get-Random $list).Value.Trim() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($FirstLetterUpperCase ) { </span></span><span style="display:flex;"><span> $password += ((Get-Culture).TextInfo).ToTitleCase($part) </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> { </span></span><span style="display:flex;"><span> $password += $part </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_ <span style="color:#f92672">-lt</span> $words){ </span></span><span style="display:flex;"><span> $password += $delimiter </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> $password </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Get-XKCDPassword -words <span style="color:#ae81ff">4</span> -delimiter <span style="color:#e6db74">&#34;-&#34;</span> -lang <span style="color:#e6db74">&#34;de&#34;</span> -FirstLetterUpperCase </span></span></code></pre></div><p>Here are some results:</p> <pre tabindex="0"><code>bite-bomb-pupil-basis crime-wedge-alley-roll side-filly-bloom-fairy read-tribe-mouth-jail knot-make-child-moth </code></pre><p>And a few more in german:</p> <pre tabindex="0"><code>Seite-Sorge-Saft-Nadel Fluss-Glas-Alter-Rand Nord-Maul-Wert-Nabel Sand-Schal-Anruf-Rand Sahne-Post-Name-Park </code></pre> Migrate KeePass to Pass https://janikvonrotz.ch/2017/07/24/migrate-keepass-to-pass/ Mon, 24 Jul 2017 10:05:46 +0000 https://janikvonrotz.ch/2017/07/24/migrate-keepass-to-pass/ <p>I&rsquo;m using <a href="http://keepass.info/">KeePass</a> for a few years now. It always has been the password manager of my choice. Currently I&rsquo;m using KeePass on my Mac and Windows connected to the same database file. The KeePass database file is stored in a OneDrive folder, encrypted with a password and keyfile, which is stored in the <a href="https://keybase.io">Keybase</a> filesystem. This setup gives me maximum security and portability. However, it makes it impossible to use KeePass on my mobile device. Also I miss the possibility to use KeePass in my browser or on the command line. I&rsquo;ve looked for an alternative solution, which doesn&rsquo;t compromise on security and gives me the same level of portability.</p> <p>So I&rsquo;ve found <a href="https://www.passwordstore.org/">Pass</a>. The standard Unix password manager. Pass is a command line tool that stores password entries in gpg-encrypted files in a git folder. There is a Windows, Mac, iOS client and a browser plugin. I&rsquo;ve decided to give it a try. Now I would like to show you how I migrated my KeePass database into the Pass store.</p> <ol> <li> <p>First I&rsquo;ve exported the database as an XML file. This is only possible with the Windows KeePass client.</p> </li> <li> <p>On my Mac I&rsquo;ve set up Pass with a store. You could setup Pass on Windows with <a href="https://msdn.microsoft.com/en-us/commandline/wsl/about">Bash on Ubuntu on Windows</a> aka Linux subsystem for windows.</p> </li> <li> <p>Finally I developed and executed a <a href="https://github.com/PowerShell/PowerShell">PowerShell</a> script on my Mac, which migrates the xml data to Pass.</p> </li> </ol> <p><strong>keepass2pass.ps1</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>[<span style="color:#66d9ef">xml</span>]$Content = Get-Content -Path <span style="color:#e6db74">&#34;KeepassData.xml&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> Traverse-Tree ($Node, $ParentPath) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $Path = $ParentPath + <span style="color:#e6db74">&#34;/&#34;</span> + $Node.Name </span></span><span style="display:flex;"><span> $ChildNodes = $Node.Group </span></span><span style="display:flex;"><span> $Entries = $Node.Entry </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($Entries <span style="color:#f92672">-and</span> ($Node.Name <span style="color:#f92672">-notcontains</span> <span style="color:#e6db74">&#34;Recycle Bin&#34;</span>)) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span> ($Entry <span style="color:#66d9ef">in</span> $Entries) { </span></span><span style="display:flex;"><span> $Content = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> $Title = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> $Password = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span> ($Field <span style="color:#66d9ef">in</span> $Entry.String) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">switch</span>($Field.Key) { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Title&#34;</span> { $Title = $Field.Value } </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Password&#34;</span> { $Password = $Field.Value.<span style="color:#e6db74">&#39;#text&#39;</span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">default</span> { </span></span><span style="display:flex;"><span> $Content += <span style="color:#e6db74">&#34;</span>$($Field.Key)<span style="color:#e6db74">: </span><span style="color:#ae81ff">`&#34;</span>$($Field.Value)<span style="color:#ae81ff">`&#34;`n</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> @{ </span></span><span style="display:flex;"><span> Path = $Path + <span style="color:#e6db74">&#34;/&#34;</span> + $Title </span></span><span style="display:flex;"><span> Content = $Password + <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $Content </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($ChildNodes) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span> ($ChildNode <span style="color:#66d9ef">in</span> $ChildNodes ) { </span></span><span style="display:flex;"><span> Traverse-Tree $ChildNode $Path </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$PasswordEntries = $Content.KeePassFile.Root.Group.Group | ForEach-Object { </span></span><span style="display:flex;"><span> Traverse-Tree -Node $_ -ParentPath <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>} | ForEach-Object { </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Creating pass entry: </span>$($_.Path)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $_.Content | &amp; pass insert -m $_.Path </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>You can get the latest version of this file here: <a href="https://gist.github.com/898be0891058ee091dae8c68a8e2b91e">https://gist.github.com/898be0891058ee091dae8c68a8e2b91e</a></p> <p>The script is fairly simple. It traverses the database folder tree and extracts all password entries. These entries are then recreated with the <code>pass insert</code> command.</p> <p>Feel free to use and update the script.</p> Password Generator with PowerShell https://janikvonrotz.ch/2015/09/07/password-generator-with-powershell/ Mon, 07 Sep 2015 15:03:41 +0000 https://janikvonrotz.ch/2015/09/07/password-generator-with-powershell/ <p>Whenever I had to think of a secure password I followed these steps:</p> <ul> <li>The right order of vocals and consonants makes it more easy to remember a password.</li> <li>And so do three digits of a number.</li> <li>Add one uppercase Letter. Likely as the first character.</li> <li>Add a dot or another sign to expand to vocabulary even more.</li> </ul> <p>As I&rsquo;am using a PowerShell a lot I&rsquo;ve created the function/script below to create such a password.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#66d9ef">function</span> Get-RandomPasswort{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $numbers = <span style="color:#ae81ff">1</span>.<span style="color:#ae81ff">.9</span> </span></span><span style="display:flex;"><span> $consonants = <span style="color:#e6db74">&#34;b&#34;</span>,<span style="color:#e6db74">&#34;c&#34;</span>,<span style="color:#e6db74">&#34;d&#34;</span>,<span style="color:#e6db74">&#34;f&#34;</span>,<span style="color:#e6db74">&#34;g&#34;</span>,<span style="color:#e6db74">&#34;h&#34;</span>,<span style="color:#e6db74">&#34;k&#34;</span>,<span style="color:#e6db74">&#34;l&#34;</span>,<span style="color:#e6db74">&#34;m&#34;</span>,<span style="color:#e6db74">&#34;n&#34;</span>,<span style="color:#e6db74">&#34;p&#34;</span>,<span style="color:#e6db74">&#34;r&#34;</span>,<span style="color:#e6db74">&#34;s&#34;</span>,<span style="color:#e6db74">&#34;t&#34;</span>,<span style="color:#e6db74">&#34;v&#34;</span>,<span style="color:#e6db74">&#34;w&#34;</span>,<span style="color:#e6db74">&#34;x&#34;</span>,<span style="color:#e6db74">&#34;z&#34;</span> </span></span><span style="display:flex;"><span> $nopeletters = <span style="color:#e6db74">&#34;j&#34;</span>,<span style="color:#e6db74">&#34;q&#34;</span>,<span style="color:#e6db74">&#34;y&#34;</span> </span></span><span style="display:flex;"><span> $vocals = <span style="color:#e6db74">&#34;a&#34;</span>,<span style="color:#e6db74">&#34;e&#34;</span>,<span style="color:#e6db74">&#34;i&#34;</span>,<span style="color:#e6db74">&#34;o&#34;</span>,<span style="color:#e6db74">&#34;u&#34;</span> </span></span><span style="display:flex;"><span> $dotsandstuff = <span style="color:#e6db74">&#34;,&#34;</span>,<span style="color:#e6db74">&#34;.&#34;</span>,<span style="color:#e6db74">&#34;-&#34;</span> </span></span><span style="display:flex;"><span> $nopedotsandstuff = <span style="color:#e6db74">&#34;;&#34;</span>,<span style="color:#e6db74">&#34;:&#34;</span>,<span style="color:#e6db74">&#34;_&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (Get-Random $consonants).ToString().ToUpper() + </span></span><span style="display:flex;"><span> (Get-Random $vocals) + </span></span><span style="display:flex;"><span> (Get-Random $consonants) + </span></span><span style="display:flex;"><span> (Get-Random $numbers) + </span></span><span style="display:flex;"><span> (Get-Random $numbers) + </span></span><span style="display:flex;"><span> (Get-Random $numbers) + </span></span><span style="display:flex;"><span> (Get-Random $vocals) + </span></span><span style="display:flex;"><span> (Get-Random $consonants) + </span></span><span style="display:flex;"><span> (Get-Random $vocals) + </span></span><span style="display:flex;"><span> (Get-Random $dotsandstuff) </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Get the lastest version of this snippet here: <a href="https://gist.github.com/f437d7764a43b9de6c3a">https://gist.github.com/f437d7764a43b9de6c3a</a></p> <h3 id="example">Example</h3> <p>Create 10 new password is easily done.</p> <pre tabindex="0"><code>1..10 | %{Get-RandomPasswort} Zov683oxa. Pev541imi- Pim276ovo- Vus211ixi. Dab998inu. Dup268awi. Det893ema. Xok762axa- Lun996azu, Gal196ere. </code></pre> Change Active Directory User Password Expiration Mode https://janikvonrotz.ch/2013/12/11/change-active-directory-user-password-expiration-mode/ Wed, 11 Dec 2013 17:35:45 +0000 https://janikvonrotz.ch/2013/12/11/change-active-directory-user-password-expiration-mode/ <p>To change an Active Directory users password expiration mode you can use this PowerShell snippet:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Get-ADGroupMember <span style="color:#e6db74">&#34;Group1&#34;</span> -Recursive | </span></span><span style="display:flex;"><span>Get-ADUser -Properties PasswordNeverExpires | </span></span><span style="display:flex;"><span>where {$_.enabled <span style="color:#f92672">-eq</span> $true <span style="color:#f92672">-and</span> $_.PasswordNeverExpires <span style="color:#f92672">-eq</span> $false} | </span></span><span style="display:flex;"><span>select -First <span style="color:#ae81ff">50</span> | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host $_.UserPrincipalName </span></span><span style="display:flex;"><span> Set-ADUser $_ -PasswordNeverExpires $true </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Latest version of this snippet: <!-- raw HTML omitted --><a href="https://gist.github.com/7913696">https://gist.github.com/7913696</a><!-- raw HTML omitted --><!-- raw HTML omitted --></p> Handling user password change and expiration issues with Office365 and ADFS – Part 2 https://janikvonrotz.ch/2013/09/23/handling-user-password-change-and-expiration-issues-withoffice365-and-adfs-part-2/ Mon, 23 Sep 2013 08:50:49 +0000 https://janikvonrotz.ch/2013/09/23/handling-user-password-change-and-expiration-issues-withoffice365-and-adfs-part-2/ <p><a href="https://janikvonrotz.ch/2013/08/08/handling-user-password-change-and-expiration-issues-with-office365-and-adfs-part-1/">https://janikvonrotz.ch/2013/08/08/handling-user-password-change-and-expiration-issues-with-office365-and-adfs-part-1/</a></p> <p>This is part two of my experience in handling the password change office365 architecture issue.</p> <p>Last time I&rsquo;ve built a simple script  to notificate the users about the status of their passwords. In the mean time we (me and another employ of the &ldquo;<!-- raw HTML omitted -->vbl <!-- raw HTML omitted -->Informatik&rdquo;) built a simple website for the office365 users to change their password.</p> <p>The whole project is now available on <!-- raw HTML omitted --><a href="https://codeberg.org/janikvonrotz/ActiveDirectory-Password-Change">https://codeberg.org/janikvonrotz/ActiveDirectory-Password-Change</a><!-- raw HTML omitted --></p> <p>Checkout the instructions in the readme fileto set up the password change website.</p> <p>If you have setup the website already I recommend you to include the site with a sharepoint webpart here&rsquo;s an example:</p> <p><img src="https://janikvonrotz.ch/wp-content/uploads/2013/09/Passwortwechsel.png" alt="Passwortwechsel"></p> <!-- raw HTML omitted --> <!-- raw HTML omitted --> Handling user password change and expiration issues with Office365 and ADFS - Part 1 https://janikvonrotz.ch/2013/08/08/handling-user-password-change-and-expiration-issues-with-office365-and-adfs-part-1/ Thu, 08 Aug 2013 14:41:37 +0000 https://janikvonrotz.ch/2013/08/08/handling-user-password-change-and-expiration-issues-with-office365-and-adfs-part-1/ <p>Recently I&rsquo;ve setup a Office365 Service with ADFS (Active Directory Federation Service) and a DirSync Server.</p> <p>Sadly I forgot about a huge disadvantage in this architecture, due to using ADFS as an authentication provider, it&rsquo;s not possible to change a users password. The communication form the local ActiveDirectory environment to the cloud based Office365 services is only one directional.</p> <p>That&rsquo;s why there are only 2 options yet to handle the user password change and expiration:</p> <!-- raw HTML omitted --> <p>At this time option 1 is active in my environment and option 2 is my goal.</p> <p>In this post series want to show you the solution I&rsquo;ve developed.</p> <p>Let&rsquo;s start with password expiration. Because Office365 doesn&rsquo;t handle password expiration, that&rsquo;s why I have to use another channel to show the users on which date their passwords expire:  Let&rsquo;s do it with an bulk e-mail job.</p> <!-- raw HTML omitted --> <p>This part isn&rsquo;t a lot of effort. There are 2 requirements, one is a must and the other is optional:</p> <!-- raw HTML omitted --> <p>Now the script:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Send Password Expiration Reminder&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Send-PasswordExpirationReminder.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, script, jobs&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;http://.janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-08-08&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-11-25&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;2.1.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">try</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------# </span> </span></span><span style="display:flex;"><span> Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># settings</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------# </span> </span></span><span style="display:flex;"><span> $TriggerDays = <span style="color:#ae81ff">25</span>, <span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> $SendLinkOnDays = <span style="color:#ae81ff">25</span>,<span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> $DaysBeforeDisablingUsersWithPasswordNeverExpires = <span style="color:#ae81ff">180</span> </span></span><span style="display:flex;"><span> $ADGroup = <span style="color:#e6db74">&#34;S-1-5-21-1744926098-708661255-2033415169-36648&#34;</span> <span style="color:#75715e"># Memberof GroupName should be &#34;SPO_PasswordNotification&#34; </span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get mail config </span> </span></span><span style="display:flex;"><span> $Mail = Get-PPConfiguration $PSconfigs.Mail.<span style="color:#66d9ef">Filter</span> | %{$_.Content.Mail | where{$_.Name <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;PasswordReminder&#34;</span>}} | select -first <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get days until password expires</span> </span></span><span style="display:flex;"><span> $MaxDays = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($MaxDays <span style="color:#f92672">-le</span> <span style="color:#ae81ff">0</span>){<span style="color:#66d9ef">throw</span> <span style="color:#e6db74">&#34;Domain &#39;MaximumPasswordAge&#39; password policy is not configured.&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Set days when an email should be sent to inform the users</span> </span></span><span style="display:flex;"><span> $TriggerDays = <span style="color:#ae81ff">25</span>, <span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> $SendLinkOnDays = <span style="color:#ae81ff">25</span>,<span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span>($TriggerDay <span style="color:#66d9ef">in</span> $TriggerDays){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Memberof GroupName should be &#34;SPO_PasswordNotification&#34; </span> </span></span><span style="display:flex;"><span> Get-ADGroupMember $ADGroup -Recursive | </span></span><span style="display:flex;"><span> Get-ADUser -Properties Enabled, lastLogonTimestamp, PasswordNeverExpires, PasswordLastSet, Mail, DisplayName | </span></span><span style="display:flex;"><span> Select *, @{L = <span style="color:#e6db74">&#34;PasswordExpires&#34;</span>;E = { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.PasswordNeverExpires){ </span></span><span style="display:flex;"><span> $DaysBeforeDisablingUsersWithPasswordNeverExpires - ((Get-Date) - ($_.PasswordLastSet)).Days </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> $MaxDays - ((Get-Date) - ($_.PasswordLastSet)).Days </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }} | </span></span><span style="display:flex;"><span> where{($_.Enabled <span style="color:#f92672">-eq</span> $true) <span style="color:#f92672">-and</span> ($_.PasswordExpires <span style="color:#f92672">-eq</span> $TriggerDay)} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># set subject</span> </span></span><span style="display:flex;"><span> $Subject = <span style="color:#e6db74">&#34;Passwort Erinnerung: </span>$($_.DisplayName)<span style="color:#e6db74"> ihr Passwort läuft in </span>$($_.PasswordExpires)<span style="color:#e6db74"> Tagen ab&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $BodyFont = <span style="color:#e6db74">&#34;font-size: 11pt; font-family: Calibri&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create mail message</span> </span></span><span style="display:flex;"><span> $Body = <span style="color:#e6db74">&#34;&lt;p style = &#34;&#34;</span>$BodyFont<span style="color:#e6db74">&#34;&#34;&gt;Guten Tag </span>$($_.DisplayName)<span style="color:#e6db74"> &lt;br/&gt; &lt;br/&gt; Ihr Passwort läuft am </span>$(Get-Date (Get-Date).AddDays($_.PasswordExpires) -Format D)<span style="color:#e6db74"> ab.&lt;/b&gt;&lt;/p&gt;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($SendLinkOnDays <span style="color:#f92672">-contains</span> $TriggerDay){ </span></span><span style="display:flex;"><span> $Body += <span style="color:#e6db74">&#34;&lt;p style = &#34;&#34;</span>$BodyFont<span style="color:#e6db74">&#34;&#34;&gt;Bitte ändern Sie das Passwort bevor es abläuft. Rufen Sie dazu die folgende Seite auf: &lt;a href=&#34;&#34;https://vbluzern.sharepoint.com/Support/_layouts/15/start.aspx#/SitePages/Passwortwechsel.aspx&#34;&#34; target=&#34;&#34;_blank&#34;&#34;&gt;Link&lt;/a&gt;&lt;/p&gt;&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> $Body += <span style="color:#e6db74">&#34;&lt;p style = &#34;&#34;</span>$BodyFont<span style="color:#e6db74">&#34;&#34;&gt;ACHTUNG! Dieses E-Mail wurde von einem unbeaufsichtigtem Konto verschickt, Antworten an den Sender dieser E-Mail werden nicht bearbeitet.&lt;/p&gt;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># send mail</span> </span></span><span style="display:flex;"><span> Write-PPEventLog <span style="color:#e6db74">&#34;</span>$($MyInvocation.InvocationName)<span style="color:#ae81ff">`n`n</span><span style="color:#e6db74">Send password reminder to </span>$($_.Mail)<span style="color:#e6db74">&#34;</span> -WriteMessage -Source <span style="color:#e6db74">&#34;Send Password Expiration Reminder&#34;</span> </span></span><span style="display:flex;"><span> Send-MailMessage -To $_.Mail -From $mail.FromAddress -Subject $Subject -Body $Body -SmtpServer $Mail.OutSmtpServer -BodyAsHtml -Priority High -Encoding ([<span style="color:#66d9ef">System.Text.Encoding</span>]::UTF8) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>}<span style="color:#66d9ef">catch</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPErrorEventLog -Source <span style="color:#e6db74">&#34;Send Password Expiration Reminder&#34;</span> -ClearErrorVariable </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><a href="https://gist.github.com/6184059">https://gist.github.com/6184059</a></p> <p>For the memberof Group I recommend to use the SID instead of the DN. I&rsquo;ll show you how the get the SID:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>PS C:Userssa-spadmin&gt; (Get-QADGroup <span style="color:#e6db74">&#34;SPO_PasswordNotification&#34;</span>).Sid </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> BinaryLength AccountDomainSid Value </span></span><span style="display:flex;"><span> ------------ ---------------- ----- </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">28</span> S-<span style="color:#ae81ff">1</span>-<span style="color:#ae81ff">5</span>-<span style="color:#ae81ff">21</span>-<span style="color:#ae81ff">1744926098</span>-<span style="color:#ae81ff">708661255</span>-<span style="color:#ae81ff">2033415169</span> S-<span style="color:#ae81ff">1</span>-<span style="color:#ae81ff">5</span>-<span style="color:#ae81ff">21</span>-<span style="color:#ae81ff">1744926098</span>-<span style="color:#ae81ff">708661255</span>-<span style="color:#ae81ff">2033415169</span>-<span style="color:#ae81ff">36648</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>PS C:Userssa-spadmin&gt; Get-QADUser -MemberOf <span style="color:#e6db74">&#34;S-1-5-21-1744926098-708661255-2033415169-36648&#34;</span> </span></span></code></pre></div><!-- raw HTML omitted --> <p>Part two: <!-- raw HTML omitted --><a href="https://janikvonrotz.ch/2013/09/23/handling-user-password-change-and-expiration-issues-withoffice365-and-adfs-part-2/">https://janikvonrotz.ch/2013/09/23/handling-user-password-change-and-expiration-issues-withoffice365-and-adfs-part-2/</a><!-- raw HTML omitted --></p>