How does k-anonymity actually protect my password?

Your password is SHA-1 hashed locally in your browser (e.g. 'password' becomes '5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8'). Only the FIRST 5 hex characters ('5BAA6') are sent to HIBP. HIBP returns ALL hashes that start with '5BAA6' (typically 500-1000 hashes). Your browser then checks the full hash locally against that list. HIBP never sees your full hash, never sees the password, can't reverse-engineer your input. This is the same protocol Apple iCloud Passwords, 1Password Watchtower, and Chrome's password monitor use.

What's the largest leaked password database HIBP knows about?

HIBP's Pwned Passwords v8 contains 847+ million unique password hashes from breaches including Adobe (2013, 153M passwords), LinkedIn (2012, 117M), Yahoo (2013, 1B accounts though hashed), Dropbox (2012, 68M), and hundreds more. Common passwords like '123456' appear millions of times across breaches. If your password shows up at all, attackers have it. The 'count' shows how many breaches it appeared in — even 1 occurrence means it's compromised.

Should I check passwords I'm currently using?

Yes — that's the primary use case. If a password you currently use shows up in HIBP, an attacker can attempt credential-stuffing attacks (trying the same email + password on hundreds of sites). Change it immediately, especially for: email (gateway to everything), banking, primary social media, password manager master password. Use unique passwords per site so one breach doesn't cascade. A password manager is essentially mandatory for this; humans can't remember 100+ unique passwords.

Why isn't my password showing as breached if it's a common word?

Common dictionary words ARE in the database. If '123456' or 'password' show as 'not breached,' you may have a typo or extra character. The check is exact-match. 'Password' (capital P) and 'password' are different hashes; only one may be in the database (though both probably are). For testing, try '123456' — it should show as breached 24+ million times.

Are special characters required for a strong password?

Length matters more than complexity. NIST 2017 guidelines recommend long passphrases (15+ characters of random words like 'correct horse battery staple') over short complex passwords ('P@ssw0rd!1'). A 20-character lowercase passphrase has more entropy than an 8-character mixed-case symbol-laden password. Most modern systems accept passwords up to 64+ characters. Use a password manager to generate 25+ character random strings; you only need to remember the manager's master password and your operating system's login. The era of memorized site-specific passwords is over.

What should I do if my password IS in the breach database?

Immediate steps: (1) Stop using it — change it on every site where you used it. (2) Enable 2FA / multi-factor authentication on critical accounts (email, banking, password manager). (3) Switch to a password manager (1Password, Bitwarden, Dashlane) and generate unique passwords for every site. (4) Check 'haveibeenpwned.com' with your email to see WHICH services breached your account. (5) Monitor financial accounts for unauthorized activity. (6) Consider a credit freeze if SSN was potentially exposed.

Developer Utilities · Free tool

Password Breach Checker

Check if a password has appeared in a known data breach. Uses HaveIBeenPwned k-anonymity — your password never leaves the browser.

Updated June 2026

Your password never leaves this page

We SHA-1 the password in your browser, then send only the first 5 characters of the hash to Have I Been Pwned. The server replies with ~800 hash suffixes, and the actual comparison happens here. This is called k-anonymity — it’s the same approach 1Password and Chrome use.

Found this useful?Email Buy Me a Coffee

What it does

A free checker that tells you whether a password has shown up in any of the hundreds of credential breaches tracked by Have I Been Pwned. If it has, attackers have it — and automated bots will be trying it on email, banking, and cloud accounts right now. Change it everywhere you’ve used it, and make the new one unique per site.

You never send the password itself. The tool hashes your password locally with SHA-1, sends only the first 5 hex characters to HIBP, and compares the reply against the rest of the hash in your browser. This is called k-anonymity. It’s the same mechanism 1Password and Chrome’s password-leak warning rely on. For generating a new password once you need to rotate, use the password generator.

Embed this tool on your siteShow snippet

Paste this snippet into any page. Loads on-demand (lazy), no tracking scripts, and sized to most dashboards. Replace the height to fit your layout.

<iframe src="https://freetoolarena.com/embed/password-breach-checker" width="100%" height="720" frameborder="0" loading="lazy" title="Password Breach Checker" style="border:1px solid #e2e8f0;border-radius:12px;max-width:720px;"></iframe>

Embed docs →

How to use it

Type or paste a password into the box.
Click Check — it hashes locally and sends only 5 characters of the hash.
A green box means it’s not in HIBP’s breach corpus; red means rotate it now.
Click Clear when done so the field resets.

When to use this tool

Periodically auditing passwords you reuse across multiple sites.
Verifying a candidate password isn’t already compromised before adopting it.
After hearing about a major breach (LinkedIn, Adobe, Yahoo), checking whether your passwords were affected.
When migrating to a password manager — checking each existing password for breach status before storing.

When not to use it

On a shared / public computer where someone could read your password before you check.
For real-time login attempts — this is for retrospective audit, not auth-time check.
As proof of password security — passing this check means ‘not yet leaked’, not ‘will never be leaked’.

Common use cases

Annual password hygiene check — review all reused passwords against HIBP.
Onboarding to 1Password — bulk-check all existing passwords for breach status.
Investigating after receiving a Have I Been Pwned alert email about a service.
Security training demo — show users that ‘password123’ is in 24M+ breaches.

Frequently asked questions

How does k-anonymity actually protect my password?: Your password is SHA-1 hashed locally in your browser (e.g. 'password' becomes '5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8'). Only the FIRST 5 hex characters ('5BAA6') are sent to HIBP. HIBP returns ALL hashes that start with '5BAA6' (typically 500-1000 hashes). Your browser then checks the full hash locally against that list. HIBP never sees your full hash, never sees the password, can't reverse-engineer your input. This is the same protocol Apple iCloud Passwords, 1Password Watchtower, and Chrome's password monitor use.
What's the largest leaked password database HIBP knows about?: HIBP's Pwned Passwords v8 contains 847+ million unique password hashes from breaches including Adobe (2013, 153M passwords), LinkedIn (2012, 117M), Yahoo (2013, 1B accounts though hashed), Dropbox (2012, 68M), and hundreds more. Common passwords like '123456' appear millions of times across breaches. If your password shows up at all, attackers have it. The 'count' shows how many breaches it appeared in — even 1 occurrence means it's compromised.
Should I check passwords I'm currently using?: Yes — that's the primary use case. If a password you currently use shows up in HIBP, an attacker can attempt credential-stuffing attacks (trying the same email + password on hundreds of sites). Change it immediately, especially for: email (gateway to everything), banking, primary social media, password manager master password. Use unique passwords per site so one breach doesn't cascade. A password manager is essentially mandatory for this; humans can't remember 100+ unique passwords.
Why isn't my password showing as breached if it's a common word?: Common dictionary words ARE in the database. If '123456' or 'password' show as 'not breached,' you may have a typo or extra character. The check is exact-match. 'Password' (capital P) and 'password' are different hashes; only one may be in the database (though both probably are). For testing, try '123456' — it should show as breached 24+ million times.
Are special characters required for a strong password?: Length matters more than complexity. NIST 2017 guidelines recommend long passphrases (15+ characters of random words like 'correct horse battery staple') over short complex passwords ('P@ssw0rd!1'). A 20-character lowercase passphrase has more entropy than an 8-character mixed-case symbol-laden password. Most modern systems accept passwords up to 64+ characters. Use a password manager to generate 25+ character random strings; you only need to remember the manager's master password and your operating system's login. The era of memorized site-specific passwords is over.
What should I do if my password IS in the breach database?: Immediate steps: (1) Stop using it — change it on every site where you used it. (2) Enable 2FA / multi-factor authentication on critical accounts (email, banking, password manager). (3) Switch to a password manager (1Password, Bitwarden, Dashlane) and generate unique passwords for every site. (4) Check 'haveibeenpwned.com' with your email to see WHICH services breached your account. (5) Monitor financial accounts for unauthorized activity. (6) Consider a credit freeze if SSN was potentially exposed.

Learn more

Explore more developer utilities tools

100% in-browserNo downloadsNo sign-upMalware-freeHow we keep this safe →