Password Breach Checker
Checks if a password has been exposed in known data breaches using the k-anonymity HaveIBeenPwned API. Your password is hashed in-browser and never sent to any server.
Privacy guarantee: Your password is hashed in your browser using SHA-1. Only the first 5 characters of the hash (out of 40) are sent to our server. Your actual password is never transmitted.
How to Use Password Breach Checker
- 1Enter your password in the secure input field.
- 2Your browser computes a SHA-1 hash — only the first 5 characters are sent to our server.
- 3The tool checks against the HaveIBeenPwned breach database using k-anonymity.
- 4See how many times your password has been found in known data breaches.
Zenovay
Track your website performance
Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.
Related Tools
Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.
Frequently Asked Questions
Is my password safe to enter here?▾
Yes. Your password never leaves your browser. The tool uses k-anonymity: it computes a SHA-1 hash of your password entirely in your browser using the WebCrypto API, then sends only the first 5 characters of that hash (out of 40) to our server. The server returns all hash suffixes matching that prefix — your browser then checks locally if your full hash is in the list. Your actual password or full hash is never transmitted.
What is k-anonymity and how does it protect my password?▾
K-anonymity is a privacy technique. With a 40-character SHA-1 hash, sending only the first 5 characters means there are at least 16^35 possible passwords with that prefix — thousands of entries are returned for every prefix lookup. Neither our server nor the HaveIBeenPwned API can determine which specific password you checked. The matching happens entirely in your browser.
What database is this checking against?▾
The HaveIBeenPwned (HIBP) database, maintained by security researcher Troy Hunt. It contains over 10 billion password hashes from hundreds of real data breaches. The database is updated regularly as new breaches are discovered and processed. The k-anonymity range API this tool uses is free and does not require an API key.
My password was found — what should I do?▾
Change it immediately on every site where you use it. Use a unique password for each site — a password manager (Bitwarden, 1Password, or KeePass) makes this practical. Enable two-factor authentication on critical accounts (email, banking, social media). Being in the breach database doesn't mean your specific account was compromised — it means the password is known to attackers and should never be used again.
How is password strength calculated?▾
Strength is based on: length (most important), character variety (uppercase, lowercase, numbers, symbols), whether it's a common pattern or keyboard walk, and estimated entropy. A 20+ character passphrase of random words scores very strong even without symbols. Short passwords (<8 chars) score very weak regardless of character variety.
Does this tool store my password or search history?▾
No. The SHA-1 prefix lookup is the only network request made, and it contains no identifying information about you or your password. We do not log the prefixes received. The HIBP API is queried anonymously. Nothing is stored.
Should I check passwords I currently use?▾
Yes — that's the primary use case. If your current password appears in the breach database, change it now. You can also use this to evaluate new passwords before setting them, or to audit old passwords stored in a password manager to prioritize which ones to update.