Checks the Have I Been Pwned database using k-anonymity — only the first 5 characters of your SHA-1 hash are sent. Your password never leaves your device.
How k-anonymity works: Your password is hashed with SHA-1 in your browser. Only the first 5 hex characters of that hash are sent to the HIBP API. The API returns all matching hash suffixes, and your browser checks locally. Your full password and full hash never leave your device.
Only the first 5 chars of your SHA-1 hash are sent to the HIBP API. Your password never leaves your browser.
Frequently Asked Questions
Is this password breach checker free?+
Yes, free. The HIBP Pwned Passwords API is a free public service by Troy Hunt. No API key is required.
Does my full password get sent anywhere?+
No. Only the first 5 characters of your password's SHA-1 hash are sent to the API — this is the k-anonymity model. Your actual password and the full hash never leave your browser.
What should I do if my password is pwned?+
Stop using that password immediately and change it on every account where you used it. Use a unique, randomly generated password for each account — our Password Generator can help.