You may also want to consider running `unset HISTFILE` before that to ensure that the line containing your password doesn't end up sitting around in your bash history.

Another way is to prefix the command with whitespace.

Only if..

    export HISTCONTROL=ignorespace

..is set (either by default or explicitly)

  python3 -c 'import getpass, hashlib; print(hashlib.sha1(getpass.getpass().encode("utf-8")).hexdigest())'

Avoids history, doesn't echo to the terminal.

In fact, you should be able to just make a rudimentary CLI into Troy's API simply with:

  #!/bin/bash
  HASH="$(python3 -c 'import getpass, hashlib; print(hashlib.sha1(getpass.getpass().encode("utf-8")).hexdigest().upper())')"
  curl -sS "https://api.pwnedpasswords.com/range/${HASH:0:5}" | grep "${HASH:5}"

(It'll emit the line from the API response matching your pass; if it does, then that password was compromised. Bash isn't real good at error handling though, so my biggest concern would be what this might do if an HTTP/TCP error happened. I've attempted to throw -S there to catch that, but use with your head screwed on.)

On my machine this produces

  (STDIN)= 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

Which is obviously not what you want. So I changed it to:

  echo -n "$password" | openssl sha1 -binary | xxd -p -u

This worked. Wow an old, old password that is fairly unique was seen 36 times.

echo -n "password"

echo adds a new line that is likely not in your password.

He's saying echo without an argument emits a newline, so use -n to suppress it.

Oops. Thanks.

You could skip the "tr" part, as the API to query by hash prefixes not case sensitive, and once you have its results, you can use "grep -i" with the hash.