Developer Utilities · Free tool
Password Breach Checker
Check if a password has appeared in a known data breach. Uses HaveIBeenPwned k-anonymity — your password never leaves the browser.
Your password never leaves this page
We SHA-1 the password in your browser, then send only the first 5 characters of the hash to Have I Been Pwned. The server replies with ~800 hash suffixes, and the actual comparison happens here. This is called k-anonymity — it’s the same approach 1Password and Chrome use.
What it does
A free checker that tells you whether a password has shown up in any of the hundreds of credential breaches tracked by Have I Been Pwned. If it has, attackers have it — and automated bots will be trying it on email, banking, and cloud accounts right now. Change it everywhere you’ve used it, and make the new one unique per site.
You never send the password itself. The tool hashes your password locally with SHA-1, sends only the first 5 hex characters to HIBP, and compares the reply against the rest of the hash in your browser. This is called k-anonymity. It’s the same mechanism 1Password and Chrome’s password-leak warning rely on. For generating a new password once you need to rotate, use the password generator.
How to use it
- Type or paste a password into the box.
- Click Check — it hashes locally and sends only 5 characters of the hash.
- A green box means it’s not in HIBP’s breach corpus; red means rotate it now.
- Click Clear when done so the field resets.