Password Breach Checker
Check if your password has appeared in a known data breach β your password is never transmitted.
Your password is hashed with SHA-1 locally. Only the first 5 characters of the hash are sent to the HaveIBeenPwned API β never the full hash, never the password itself. The API returns all hashes that start with those 5 characters (hundreds of results). Your browser then checks locally whether your full hash appears in the list. This means the server never knows which password you're checking.
About Password Breach Checking
Data breaches happen constantly. When a website is compromised, attackers often dump a database of username/password combinations. Security researcher Troy Hunt maintains the HaveIBeenPwned database, which contains over 10 billion compromised passwords from thousands of breaches. If your password appears in this database, it means attackers already know it β even if they don't know which website you used it on.
This tool uses the Pwned Passwords k-anonymity API, which was specifically designed to allow checking without revealing your password. Only 5 characters of the SHA-1 hash are sent β the rest of the matching happens in your browser. This means neither this site nor the HaveIBeenPwned API ever sees your actual password or its full hash.
How to Use
- Type a password in the input field.
- Click π‘οΈ Check Password to query the HaveIBeenPwned database.
- If the password has been seen in breaches, you'll see how many times β change it immediately.
- If it hasn't been seen, it's not in the database β but check password strength too.
Frequently Asked Questions
21BD1. (3) The API returns all hashes in its database that start with 21BD1 β typically 400β900 results. (4) Your browser searches that local list for your complete hash. The API only ever sees a 5-character prefix that could match hundreds of thousands of different passwords. You can verify this by inspecting the network request in your browser's DevTools.