Free Tool

Password Breach Checker

Check a password against a database of billions of leaked credentials without revealing it. Only a 5 character hash fragment ever leaves your browser.

Your password never leaves your browser. It is hashed locally and only the first 5 characters of the hash are sent, using k-anonymity.

Why leaked passwords matter

When a website is breached, its password database usually ends up traded and eventually published. Attackers compile these dumps into massive lists, currently billions of entries, and feed them into automated tools that try each leaked email and password combination against banking sites, email providers, shops, and social networks. The technique is called credential stuffing, and it works because most people reuse passwords.

This means a password that has appeared in any breach is effectively public knowledge, no matter how strong it looks. If you have reused it anywhere, those accounts are one bot-run away from takeover.

How we check without seeing your password

This tool queries the Have I Been Pwned database of over 900 million leaked passwords using a method called k-anonymity. Your browser hashes the password locally, sends only the first 5 characters of the hash, and receives back every leaked hash sharing that prefix, typically around 800 candidates. The comparison happens on your device. Neither we nor the database operator ever see your password or enough of its hash to reconstruct it.

If your password comes back clean, make sure it is also strong with our strength checker. If it is found, replace it everywhere with unique passwords from the generator.

Frequently Asked Questions

How can checking my password be safe?

The check uses a technique called k-anonymity. Your browser hashes the password locally with SHA-1, then sends only the first 5 characters of that hash to the Have I Been Pwned database. The database returns every leaked hash starting with those 5 characters (usually several hundred), and your browser checks for a match locally. Your password, and even its full hash, never leave your device.

My password was found in a breach. What now?

Change it immediately on every account where you use it, and replace it with a unique password for each account. Turn on two-factor authentication wherever it is offered. A leaked password will be tried by bots against hundreds of popular sites within hours of appearing in a breach dump.

My password was not found. Does that mean it is safe?

It means the password has not appeared in the public breaches indexed so far, which is good news. It does not guarantee safety: the password could still be weak, guessable, or part of a breach that has not become public yet. Use the strength checker to verify it holds up on its own.

More Free Tools

View all tools →