Here’s a fun little project that lets you check offline if your password has been pwned. Download the SHA-1 password database here and name it pwned-passwords-sha1-ordered-by-count-v6.txt. Then copy the following text into a file in the same directory as the password hash that was downloaded. When run it will prompt for “Password to search:”. Type in a password and press enter. The script will hash the password you typed and check the hash agains the database. If the password has been pwned it will display the number of times that password has been pwned. If there are no results then the password has not been pwned… yet.

No information leaves your system and the typed password is masked so there should be no trace of typed passwords. Enjoy!

while true
read -sp "Password to search: " pattern
sslpattern=$(echo -n $pattern | openssl sha1)
cleanssl=$(echo $sslpattern | cut -d " " -f 2)
echo "Searching..."
if result=$(grep -i -m 1 "$cleanssl" "pwned-passwords-sha1-ordered-by-count-v6.txt"); then
echo -e "Number of times pwned..."
echo -e $result | cut -d ":" -f 2
echo -e ""
read -p "Press any key to continue" -n1 -s
echo -e "No pwnage to report!\n"
read -p "Press any key to continue" -n1 -s