zsh: do not commit passwords to history

passwords are identified by their SHA256 hashes

.config/zsh/.zshrc

@@ -55,6 +55,20 @@ function _my_filter_secrets_zshaddhistory() {
 }
 add-zsh-hook zshaddhistory _my_filter_secrets_zshaddhistory
 
+# compute hash from line until and excluding first newline
+# reject if hash matches
+function _my_filter_secrets_hash_zshaddhistory() {
+    local hash=$(sha256sum <<< ${1%%$'\n'*})
+    hash=${hash%% *}
+
+    case ${hash} in
+        2e324cea58462bb08bacb6e9bb44b1e972c02ad919d58ed61dd89b01ab480b11)
+            return 1 ;;
+    esac
+    return 0
+}
+add-zsh-hook zshaddhistory _my_filter_secrets_hash_zshaddhistory
+
 ############################## Plugins #########################################
 
 # https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md