Password breach checker
Check whether a password has appeared in a known data breach — without the password ever leaving your device.
Your password is hashed in the browser and only a short prefix of that hash is sent to the HaveIBeenPwned API. The full match is checked locally. Nothing identifying ever leaves your device.
Password breach checker
Password to check
Type or paste a password. It is hashed locally — nothing is transmitted.
How your privacy is protected
- Password is hashed with SHA-1 in your browser
- Only the first 5 hex characters of the hash are sent
- ~500 matching hashes are returned from the API
- Your browser checks the list locally — no full hash or password is transmitted
Result
Enter a password and press Check password to see if it has appeared in a known data breach.
Checking against breach database…
Times seen in breaches
3,303,003
This password is compromised — change it everywhere it's used.
Attackers use breach lists for credential stuffing — trying every known password against every service they can reach.
Even one appearance means the password is in active circulation among attackers.
Times seen in breaches
0
Not found in known breach data.
This password does not appear in the HaveIBeenPwned dataset of breached credentials.
This is a good sign — but not a guarantee it has never been exposed. Use a unique password for every account.
Unable to check
Network error — check your connection and try again.
How this checker works
The HaveIBeenPwned Pwned Passwords database contains billions of real-world passwords collected from hundreds of data breaches. Rather than transmit your password to check it against the database, this tool uses a technique called k-anonymity: your browser hashes the password with SHA-1, sends only the first five hex characters of that hash to the API, and receives back roughly 500 hashes that share that prefix. The full match is then checked locally. The API never learns which hash — let alone which password — was queried.
A breach count tells you how many times that exact password appeared across all the breach data HIBP has collected. High counts indicate extremely common passwords (like password123 or 123456). Low counts, including one, still mean the password is known to attackers and should be treated as compromised.
About this tool
This tool checks whether a password appears in the HaveIBeenPwned database of known breach data using k-anonymity. The password is hashed with SHA-1 in the browser, only the first 5 characters of that hash are sent to the API, and the full match is checked locally. The password itself never leaves your device. A result of zero means the password has not appeared in breach data HaveIBeenPwned has collected — it does not guarantee it has never been compromised elsewhere.
Frequently asked questions
How does my password stay private?
Your password is hashed with SHA-1 entirely in the browser. Only the first 5 characters of that hash — one of roughly one million possible prefixes — are sent to the HaveIBeenPwned API. The API returns around 500 hashes that share that prefix; the full match is then checked locally in your browser against that list. This is called k-anonymity: the API never receives enough information to determine which password was queried.
What does "not found" actually mean?
It means the password does not appear in the HaveIBeenPwned dataset, which covers hundreds of known data breaches totalling billions of credentials. It does not mean the password has never been exposed — only that it hasn't turned up in the breaches in this particular dataset. A not-found result is a good sign, not a guarantee.
What does a high breach count mean in practice?
Even a count of 1 means the exact password string has appeared in breached data. Attackers use breach lists for credential stuffing — trying every known password against every service they can reach. A password that appears once is just as exploitable as one that appears a million times. Any breach count should be treated as a hard signal to change the password everywhere it's used.
Why SHA-1 if SHA-1 is considered weak?
SHA-1 is used here because it's what HaveIBeenPwned uses to index its breach data — this is a lookup against an existing dataset, not a recommendation for how to store passwords. For actual password storage, use bcrypt, Argon2, or scrypt. SHA-1 is fine as a consistent lookup key across a fixed dataset; it's only problematic when used to protect a secret that must remain unrecoverable.