This is a tool for checking your passwords in pass against Have I been pwned?.
passpwn uses the range API which means that we are only sending the first 5 characters of a SHA1 hashed password to Have I been pwned? and are checking the returned hashes against the full local hash.
Inspiration for this tool comes from the 1Password blog.
A big thanks to haveibeenpwned.com for making this possible in a secure way.
To only see the compromised passwords:
./passpwn >/dev/nullThe program will print compromised passwords to stderr.
If you have Nix with flakes enabled, you can run passpwn without installing it:
nix run github:antonlindstrom/passpwnOr from a local checkout:
nix run .Copy or symlink the passpwn script to somewhere on your $PATH, for example:
install -m 755 passpwn ~/.local/bin/passpwnIf you find any bugs or want to provide feedback, you can file bugs in the project's GitHub Issues page.
This project is maintained by Anton Lindström (GitHub)
APACHE LICENSE 2.0 Copyright 2026 Anton Lindström
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.