Skip to content

Breach Checker

Check if your password has appeared in known data breaches using the Have I Been Pwned API. Uses k-anonymity so your password is never sent over the network.

FreeNo SignupNo Server UploadsZero Tracking

How this works (k-anonymity)

Your password is SHA-1 hashed locally. Only the first 5 characters of the hash are sent to the API. The full password is never transmitted. This is the same privacy model used by 1Password and other password managers.

How to Use Breach Checker

  1. 1

    Enter a password

    Type or paste a password you want to check. The text is visible so you can verify what you're checking.

  2. 2

    Click Check

    The password is SHA-1 hashed locally. Only the first 5 characters of the hash are sent to the API.

  3. 3

    Review results

    See if the password has been found in any data breaches and how many times it has appeared.

Frequently Asked Questions

Yes. Your password is never sent over the network. It is SHA-1 hashed locally in your browser, and only the first 5 characters of the hash are sent to the Have I Been Pwned API. This is called k-anonymity.

K-anonymity is a privacy technique where only a partial hash prefix is sent to the server. The server returns all hash suffixes matching that prefix, and your browser checks locally if your full hash is in the list. This means the server never knows which specific password you checked.

Change it immediately wherever it is used. Use our Password Generator or Passphrase Generator to create a strong, unique replacement.

Not necessarily. It means it has not appeared in known leaked databases. A short or simple password can still be guessed quickly even if it has not been breached.

The Have I Been Pwned Pwned Passwords database includes over 800 million compromised passwords from hundreds of data breaches.