Password Breach Checker

Check if your password has been exposed in a data breach using k-anonymity — password never leaves your browser.

Check if your password has appeared in known data breaches using k-anonymity — your password never leaves your device.

Password

Press Enter or click Check to verify

How it works

Hash in Browser

Your password is hashed with SHA-1 entirely in your browser using the Web Crypto API. The actual password is never sent anywhere.

Send 5 Characters Only

Only the first 5 characters of the 40-character hash are sent to the HaveIBeenPwned API. This is the k-anonymity model.

Match Locally

The API returns all hashes starting with those 5 chars. Your browser checks locally if your full hash appears — privately.

Your password is never sent to any server — hashing happens entirely in your browser.

Only a 5-character prefix of the SHA-1 hash is transmitted (k-anonymity).

The HaveIBeenPwned API returns hundreds of matching hash suffixes — making it impossible to determine which one you queried.

The final match check happens locally in your browser.

HaveIBeenPwned Pwned Passwords API — a database of over 900 million compromised passwords collected from various data breaches.