Pwned Passwords API - PHP CLI script to test your passwords locally

pwned.php

#!/usr/bin/env php
<?php

/**
 * Usage: pwned.php '<password>'
 */

// get the first argument as the password
$password = $argv[1];

// no password, give them some usage instructions
if (!$password) {
    echo "Usage: {$argv[0]} '<password>'\n";
    exit;
}

// turn the password into sha1 hash (uppercased)
$sha = strtoupper(sha1($password));

// split at 5th char
$shaStart = substr($sha, 0, 5);
$shaEnd = substr($sha, 5);

// make curl request to password api
$ch = curl_init();
curl_setopt_array($ch, array(
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_URL => 'https://api.pwnedpasswords.com/range/' . $shaStart,
    CURLOPT_USERAGENT => 'ss/cli-password 1.0',
    CURLOPT_HTTPHEADER => array(
        'Accept: text/plain',
    ),
));

$response = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);

// put response into memory so we can loop over each line
$fp = fopen('php://memory', 'r+');
fputs($fp, $response);
rewind($fp);

// search for the hash
$hit = false;
while ($line = fgets($fp)) {
    list($candidateEnd, $count) = explode(':', trim($line), 2);
    if ($candidateEnd === $shaEnd) {
       $hit = true;
       break;
    }
}

// if we hit, let them know
if ($hit) {
    echo "HIT: $count hit";
    if ($count !== 1) {
        echo "s";
    }
} else {
    echo "MISS";
}

echo "\n";

// error exit if we hit
exit ($hit ? 1 : 0);