Password Breach Checker
Check if your password has been exposed in data breaches
Your password is secure
We use k-anonymity: Your password is hashed locally using SHA-1. Only the first 5 characters of the hash are sent to the API. Your actual password never leaves your browser.
This tool uses the Have I Been Pwned Pwned Passwords API, a free service that contains over 600 million passwords exposed in data breaches.
How k-anonymity works: Your password is hashed using SHA-1 locally in your browser. Only the first 5 characters of the hash (the "prefix") are sent to the API. The API returns all hash suffixes that match that prefix, and we check locally if your full hash is in the list. This means your password is never transmitted.
Example: If your password hashes to 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8, only 5BAA6 is sent to the API.
Features
- Check against 600M+ breached passwords
- Secure k-anonymity (password never sent)
- Password strength analysis
- Detailed security recommendations
- Uses free HIBP Pwned Passwords API
- SHA-1 hash displayed for verification
Frequently Asked Questions
Is it safe to enter my password?
Yes! We use k-anonymity - your password is hashed locally using SHA-1, and only the first 5 characters of the hash are sent to the API. Your full password never leaves your browser.
What should I do if my password is breached?
Change your password immediately on any service where you use it. Use a unique, strong password for each account and enable two-factor authentication where possible.
How does k-anonymity work?
Your password is hashed locally. Only the first 5 characters of the hash (prefix) are sent to the API. The API returns all matching suffixes, and we check locally if your full hash matches any of them.