Password Leak Checker
Free password leak checker using the Have I Been Pwned database. Your password is hashed locally and never sent — only a 5-character hash prefix leaves your browser (k-anonymity).
Your password never leaves your browser. It is hashed locally with SHA-1 and only the first 5 characters of the hash are sent (k-anonymity model) — the API can never know your actual password. Powered by Have I Been Pwned.
How can checking a password be safe?
This tool uses the k-anonymity model pioneered by Have I Been Pwned. Your password is hashed with SHA-1 locally in your browser, and only the first 5 characters of that hash are sent to the API. The server returns every leaked hash starting with those 5 characters (hundreds of them), and the match is found on your device. The service never sees your password or even its full hash.
The database contains over 900 million real passwords exposed in data breaches. If your password appears in it, attackers already have it in their dictionaries — change it everywhere it is used and enable two-factor authentication.
How to use
- 01Type the password you want to check (use show/hide to verify it).
- 02Click Check for leaks — only a 5-character hash prefix is sent, never the password.
- 03If found, the tool shows how many breaches contain that password.
- 04Change any leaked password everywhere it is used and enable 2FA.
Frequently asked questions
- Is it safe to type my real password here?
- Yes. The password is hashed with SHA-1 inside your browser and only the first 5 characters of the 40-character hash are sent to the API. Hundreds of candidate hashes come back and the comparison happens on your device — the k-anonymity model means the service can never reconstruct your password.
- What should I do if my password is found?
- Stop using it immediately, change it on every account where it is used (attackers try leaked passwords everywhere — this is called credential stuffing), switch to unique passwords per site, and enable two-factor authentication.
- My password was not found — does that mean it is strong?
- Not necessarily. It only means that exact password has not appeared in known breaches. A short or predictable password can still be cracked — use our Password Generator to create long random ones.
- Where does the breach data come from?
- From Have I Been Pwned, the industry-standard breach database maintained by security researcher Troy Hunt, containing more than 900 million passwords from real-world data breaches.