Password Leak Checker
Check if your password has appeared in a known data breach. Uses the k-Anonymity model — only the first 5 characters of a SHA-1 hash are sent to the API. Your actual password never leaves your browser.
🔒
Your password is never sent anywhere. We hash it locally, then send only the first 5 characters of that hash to the Have I Been Pwned API. The API returns thousands of partial hash matches — we check locally if yours is among them.
How k-Anonymity Protects You
1️⃣
Your password is SHA-1 hashed entirely in your browser — e.g. "password123" → A94A8FE5CCB19...
2️⃣
Only the first 5 characters of that hash are sent to the HIBP API (e.g. "A94A8")
3️⃣
The API returns all ~800 hashes that begin with those 5 characters
4️⃣
We check locally if your full hash is in that list — the API never knows which one you looked up
What is "Have I Been Pwned"?+
"Have I Been Pwned" (HIBP) is a free service created by security researcher Troy Hunt that aggregates data from hundreds of data breaches. It contains over 10 billion compromised passwords. This tool uses the HIBP Pwned Passwords API to check your password against that database.
If my password appears in a breach, what should I do?+
Change it immediately on every site where you use it. Use a unique, randomly generated password for each site — a password manager makes this practical. Enable two-factor authentication where available. Never reuse passwords across sites.
Does a zero result mean my password is safe?+
No — it means the password has not appeared in any breach data that HIBP has collected. A password not in the breach database can still be weak or guessable. Always use a long, random password regardless of breach status.
How often is the breach database updated?+
The HIBP breach database is continuously updated as new breaches are discovered and processed. Running this check periodically — especially after major breach announcements — is good practice.