pwned-check
Privacy-first breach detection CLI using k-anonymity
Overview
pwned-check brings enterprise-grade credential auditing to the terminal, designed with a strict privacy-first philosophy.
The implementation uses SHA-1 hashing (Node's built-in crypto module), splits the hash into a 5-character prefix sent to HIBP's range API and a local tail for comparison. The server returns ~500 matching hashes, the comparison never leaves your machine.
Features include interactive mode with masked input (preventing shell history leaks), inline multi-password checks, batch file mode for auditing password manager exports, JSON output for CI/CD pipeline integration, and a --debug flag that exposes the SHA-1 prefix/tail split for educational inspection.
Built with zero unnecessary dependencies — chalk, ora, inquirer, commander, and Node's built-in fetch/crypto cover everything.