Password Leak Checker
Check if your password has appeared in known data breaches using the Have I Been Pwned k-anonymity API.
- Home
- > Hash & Security >
- Password Leak Checker
Your password is hashed in your browser. Only the first 5 characters of the SHA-1 hash are sent to the API.
Password Not Found
Good news! This password hasn't been seen in any known data breaches.
Password Found in Breaches
This password has appeared 0 time(s) in known data breaches. Do not use this password.
How Does This Work?
This tool uses the k-anonymity model from Have I Been Pwned (HIBP) by Troy Hunt:
- Your password is hashed using SHA-1 in your browser
- Only the first 5 characters of the hash are sent to the HIBP API
- The API returns all hash suffixes that match those 5 characters
- Your browser checks if your full hash is in the returned list
- If found, the count of how many times it appeared is displayed
Your password never leaves your browser. Only a partial hash prefix is sent, making it impossible to reconstruct the original password.
Frequently Asked Questions
Is it safe to type my password here?
Yes. Your password is processed entirely in your browser. It is hashed with SHA-1 using the Web Crypto API, and only 5 characters of the hash are sent to the HIBP API. The raw password is never transmitted, stored, or logged anywhere.
What should I do if my password is found?
Change it immediately on any accounts where you use it. Use a unique, strong password for each account. Consider using a password manager to generate and store complex passwords.
Where does the breach data come from?
The data comes from Have I Been Pwned, a free service that aggregates and verifies data from publicly disclosed data breaches. The database contains over 12 billion breached accounts.
