@magicroundabout @AlexStandiford @schlessera @WPAleks @haveibeenpwned So WP-CLI would need your plain text password inorder to get the SHA-1 hash to accurately compare it against the pwned password API. Just taking it out of the database (and WordPress has no idea what your plain text password is) is useless since the hash will be different

@magicroundabout @AlexStandiford @schlessera @WPAleks @haveibeenpwned I don’t see how this could work since the @haveibeenpwned API stores SHA-1 hashes of plain text passwords but WordPress stores a hashed version of salted passwords. And the salt is different (usually) for every single WordPress site. See api.wordpress.org/secret-key/1.1…