And there we have it -- my password is compromised (the suffix D937...)
Easy enough to script this up with minimal information leakage. All you're sending is 20 bits; that's not enough to do anything malicious even if your password is compromised.
One space is sufficient in bash, if memory serves right.
And secondly, on macOS with the default config for zsh no amount of spaces will help, I think. You have to first configure zsh to ignore from history when starting with space. And after that I think one space will be enough.
That functionality in bash is controlled by the HISTCONTROL environment variable. Many systems this defaults to "ignorespace" but this isn't always the case.
On Fedora, with bash, HISTCONTROL defaults to "ignoredups" and is set by /etc/profile (unless it's changed in the last few years).
Usually you can set/unset the shell option "history". For instance, "set +o history" to disable history in the current shell and "set -o history" to turn it back on.
Edit,
Looks like on Ubuntu HISTCONTROL=ignoreboth comes from .bashrc in /etc/skel/
Hash your password locally
Then take the first five characters of the hash and invoke the API And there we have it -- my password is compromised (the suffix D937...)Easy enough to script this up with minimal information leakage. All you're sending is 20 bits; that's not enough to do anything malicious even if your password is compromised.