🔐 Pwned Passwords

Has your password leaked? Find out without sending it anywhere — pure browser-side k-anonymity check.

Uses HIBP's k-anonymity API. Your password is hashed locally; only the first 5 hex chars of the SHA-1 hash are sent. Privacy-preserving by design.

⚠️ Don't enter passwords you actively use on a device you don't trust. Browser extensions, malware, and shoulder-surfing all see the input field. This page is open-source — view the source to verify it never sends the full hash.

How a privacy-preserving password breach check works

Type a password above to check whether it appears in any known data breach. The check is privacy-preserving: your password is hashed in your own browser, only the first 5 hex characters of the SHA-1 hash leave the page, and the HIBP API returns hundreds of candidate suffixes for your browser to scan locally. The server never learns your password.

This is the canonical implementation of k-anonymity for breach checking, designed by Troy Hunt and Cloudflare. The same protocol is built into 1Password, Bitwarden, Firefox Monitor, Google Chrome, and modern enterprise SSO.

A "not found" result is necessary but not sufficient — passwords that have never been breached can still be weak. For real protection, generate a long random passphrase with a password manager and turn on multi-factor authentication.

Frequently asked questions

Do I have to trust this site with my password?
No — and you shouldn't blindly trust any password checker. This page sends only the first 5 hex characters of the SHA-1 hash to HIBP. The HIBP API has no idea which password you checked. The full code is visible — open the page source and search for sha1Hex to verify.
What is k-anonymity?
A privacy technique where you query a service for a group containing your secret, and check membership locally. HIBP returns ~500 hash suffixes for any 5-char prefix. Your browser checks if your suffix is in the list. The server never learns which one was yours.
My password isn't in the database — am I safe?
Not necessarily. The database covers passwords found in real breaches. A guessable password (Spring2026!, Password123, your dog's name) may not be in any breach yet but will be cracked offline in seconds. Use a randomly-generated long passphrase from a password manager.
Where does the data come from?
Troy Hunt's Pwned Passwords service aggregates passwords from publicly-disclosed breaches and government-supplied corpora. As of late 2025, it contains over 14 billion entries.
Why SHA-1, not bcrypt?
SHA-1 is fast enough for the k-anonymity range query to return in <100ms. The full hash is never compared on the server, so SHA-1's cryptographic weakness doesn't matter for this protocol. The actual storage at HIBP uses prefix-bucketed indexes built from SHA-1 (and now NTLM) for compatibility with security tooling.

Related OSINT tools

📋
HIBP catalog
Browse the breach list
🦠
Stealer log check
Email/domain in stealer dumps
🔑
Password generator
Make a strong replacement
📧
Email Profiler
Multi-source email OSINT