Password Breach Checker

A privacy-preserving password breach checker built on the Have I Been Pwned k-anonymity API. Your password is hashed locally with SHA-1; only the first 5 hex characters of the hash leave your device. Have I Been Pwned returns every leaked hash sharing that prefix (~500 of them), and your browser compares the remaining 35 characters locally. The full hash — and therefore the password — never leaves your machine.

How to use

1
Enter a password

Click the field and type or paste. The check runs on submit, not on every keystroke.

2
Click Check

The browser hashes the password with SHA-1, sends only the first 5 hex characters of that hash to HIBP, receives ~500 candidate suffixes back.

3
Read the result

Either "not found" or "seen N times". If found, change the password everywhere it is reused.

4
Generate a replacement

Use our password generator or passphrase generator for a unique, strong replacement.

🔥 Trending right now
🗣️ Text to Speech Video Enhancer ✂️ Trim Audio Audio Enhancer

Find out if your password has leaked, without sending it to anyone

k-anonymity model. Only the first 5 characters of your password's SHA-1 hash are sent. HIBP returns all hashes with that prefix (~500 of them); your browser searches that list locally. The full hash never leaves your device.
Don't know what to try?
380 free tools — open a surprise
🎲 Surprise me

Features

k-anonymity protocol 800+ breaches indexed Local hashing Count of occurrences No history kept

FAQ

Does my password leave my device?

No. Only the first 5 hex characters of its SHA-1 hash are sent to HIBP. That prefix is consistent with about 500 different passwords, so HIBP cannot determine which one you checked.

What is k-anonymity?

A privacy model where a query is mixed in with k other indistinguishable queries. Sending a 5-character SHA-1 prefix means your query is indistinguishable from ~500 others, so the server cannot uniquely identify what you looked up.

Why SHA-1, isn't it broken?

SHA-1 is broken for collision resistance (the SHAttered attack), but k-anonymity does not depend on that. The prefix only needs to spread real passwords evenly across buckets, which SHA-1 does fine.

Where does the breach data come from?

Troy Hunt's Have I Been Pwned project (haveibeenpwned.com). It aggregates publicly-disclosed breaches and curated lists. 800+ breaches; 13+ billion compromised credentials.

My password is not in the database — is it strong?

Not necessarily. It just means it has not appeared in any leaked database yet. A short or predictable password can still be cracked by online or offline brute force. Always test strength separately.

What should I do if it is breached?

Immediately stop using it. Generate a unique replacement for every site where the password was reused. Switch to a password manager. Enable 2FA wherever possible.

💡 Want us to improve this tool just for you?

We can — and it's free! Just send us a quick message with your idea. If you'd like to discuss it in detail, leave your email and we'll get back to you. You can stay anonymous.

You May Also Like

🔄 Bitwarden Converter 🗃️ KeePass Viewer 🔍 OTP Auth QR Decoder 🔗 One-Time Secret Share 🔐 PGP Key Generator 🎲 Passphrase Generator 📊 Password Audit 🔑 Password Generator

How do you rate this tool?

Thank you for your rating!
Want to share more? Leave a comment!
Thank you! Your comment will appear after moderation.
Who is this tool for?
🔒 Security & Privacy
Published Updated