Password Checkup

Overview

PasswordCheckup started from a simple engineering thought: if remembering to change passwords is a problem, the real solution is not better memory, but better systems.

Instead of relying on people to remember rotation schedules, the idea was to automate the reminder itself... turning a manual security task into a repeatable pipeline.

PasswordCheckup is a GitHub Action that scans an Excel spreadsheet of password metadata and emails a daily HTML summary of entries that are due for review soon or have gone stale.

It helps teams stay compliant with periodic password rotation policies by surfacing upcoming review dates ( 1 day / 3 days / 1 week ) and passwords that haven't been changed in a long time ( 90 days ).

The workflow is designed for privacy: it reads local repository data ( Excel + YAML recipients ) and sends notifications through your SMTP provider, without calling external password or breach APIs.

Tech Stack

Keywords: Python GitHub Actions Pandas Excel SMTP openpyxl

Language: Python 3.11
Frameworks: GitHub Actions
Infra: GitHub-hosted runners, SMTP provider
Storage: Excel (.xlsx), YAML

Architecture

Trigger: GitHub Actions workflow ( workflow_dispatch by default; cron schedule available but deactivated )
Inputs: data/data.xlsx + config/email_recipients.yaml
Processing: pandas reads Excel (openpyxl engine) and normalizes column names
Logic: Next_Review_Date windows ( 1/3/7 days ) + stale Date_Changed threshold (90 days)
Output: HTML email built from pandas.to_html tables (styled-table class)
Delivery: SMTP over SSL using EMAIL_USER + EMAIL_PASSWORD GitHub secrets; SMTP host placeholder in code ( %SMTP_HOST% )

Features

Daily Excel scan of password review data in data/data.xlsx
Buckets items by upcoming review windows: within 1 day, 3 days, 1 week
Flags old passwords based on last change date threshold ( 90 days )
Sends a styled HTML email with tables for each bucket
Recipient list managed in config/email_recipients.yaml
Manual trigger supported; optional cron schedule available (but deactivated in workflow)

Metrics / Results

Scheduled run example: 10:00 UTC+2 daily when cron is enabled
0 external security/breach APIs used (data stays in your repo + SMTP)

Code & Docs

Repo: https://github.com/axbecher/PasswordCheckup

Implementation highlights

Workflow: .github/workflows/reminder.yml sets up Python 3.11 and runs the script
Script: scripts/send_email.py builds categorized sections and exits early if no matches
Config: recipients loaded from config/email_recipients.yaml
Dependencies: pandas + openpyxl + pyyaml, located in requirements.txt

Demo & Screenshots

Insights & Future Improvements

Insights

How to ship a real, useful automation via GitHub Actions with minimal moving parts
Data-driven notifications: keep policy tracking in Excel while automating the boring review step
Safe defaults: don't send emails when there's nothing to report (script exits cleanly)

Future Improvements

Replace %SMTP_HOST% placeholder with an env var/secret (e.g., SMTP_HOST) so setup is fully no-code
Add validation for required Excel columns with clearer error messages
Add unit tests for date bucketing and stale-password detection

Instead of remembering when to change a password, build a system that remembers for you.