Check if Your Password Was Leaked

Find out if your password has been compromised in a data breach. Our secure checker keeps your input private while searching known leaks.

Password to Check

Your password is hashed locally and only the first 5 characters of the hash are sent to the API.

About Leak Checking

This tool uses the Have I Been Pwned API to check if your password has appeared in known data breaches. The check uses k-anonymity to protect your privacy - only a partial hash is sent to the API. If your password is found, change it immediately on all accounts.

How It Works

This password leak checker securely verifies if your password has appeared in known data breaches using the k-anonymity privacy model.

The privacy-safe checking process:

SHA-1 hashing: Your password is converted to a SHA-1 hash locally in your browser.
Prefix extraction: Only the first 5 characters of the hash are sent to the API.
Range query: The API returns all breached hashes starting with those 5 characters (hundreds of results).
Local matching: Your browser checks if your full hash appears in the returned list.

This means your actual password never leaves your device, and the API can't determine which specific hash you're checking among the hundreds returned.

When You'd Actually Use This

After Breach Notifications

Verify if your password was exposed when a service you use reports a data breach.

New Account Setup

Check if a password you're considering has already been compromised before using it.

Regular Security Audits

Periodically test your important passwords to ensure they haven't appeared in new breaches.

Password Manager Migration

Audit existing passwords before importing them into a new password manager.

Corporate Security Reviews

Check if employee passwords (hashed) have appeared in breaches without storing them.

Peace of Mind

Quickly verify the security status of passwords you use frequently.

What to Know Before Using

Finding your password means change it immediately

If your password appears in a breach, it's in the hands of attackers. Change it on all accounts where you used it.

No match doesn't guarantee safety

The breach database isn't comprehensive. A clean result means it's not in known breaches, not that it's strong.

Your password isn't stored or transmitted

The k-anonymity model ensures your password never leaves your browser. Only a 5-character hash prefix is shared.

Reuse multiplies the risk

If a reused password appears in any breach, all accounts using that password are compromised.

Check email addresses too

Use 'Have I Been Pwned' to check if your email appears in breaches, even if passwords weren't exposed.

Common Questions

Is it safe to check my password?

Yes. The k-anonymity model means your full password hash is never sent. Only the first 5 characters of the hash leave your browser.

What should I do if my password is found?

Change it immediately on every account where you used it. Enable two-factor authentication and use a password manager.

How often are breach databases updated?

Major services update within days of new breaches being discovered. Check periodically, especially after news of large breaches.

Why SHA-1 if it's considered broken?

For this use case (checking against a list), SHA-1 is still secure. The k-anonymity model adds additional protection.

Can the API see which password I'm checking?

No. They see hundreds of hash queries for each request and can't determine which one is yours.

What's the difference between this and 'Have I Been Pwned'?

HIBP checks if your email appears in breaches. This checks if your specific password hash is in the breached password database.

Should I check all my passwords?

Prioritize passwords on critical accounts (email, banking, primary services). Then check others as you update them.

Other Free Tools

Search tools