What is "k-anonymity"?

It's a privacy technique where your query is hidden among k other queries - an attacker can't tell which of k+1 results you wanted. HIBP returns ~800 hashes per prefix (plus padding against timing attacks), so even a network observer can't know which specific password you checked.

The password did NOT leak - does that mean it's safe?

Not necessarily. 'Not found in breaches' only means it isn't in HIBP. The password may still be weak (short, guessable). Also check entropy - our password generator shows it in bits. Safe = 12+ random chars, not pwned, and used in only one place.

For cryptographic uses, yes, SHA-1 is weakened. But for pwned-check it serves as a fast fingerprint indexing breaches, not as a security primitive. Breaches usually arrive as plaintext or MD5/SHA-1 hashes - HIBP normalizes to SHA-1 for lookup. Constructing SHA-1 collisions does not help an attacker because they never see your full hash, only the 5-char prefix.

Are there rate limits?

The HIBP /range/ endpoint is free and unlimited (yes, really). Cloudflare caches responses globally so every query is fast. You can check thousands of passwords.

YourDevToolsPro

Pwned Password Check

Check whether your password has leaked - without ever sending it anywhere.

LiveRuns in your browser

Password breach check

Check whether your password has appeared in any public data breach. We use the HaveIBeenPwned database (850M+ passwords). The full password never leaves the browser - we send only the first 5 SHA-1 characters.

The full password never leaves your browser - we send only the first 5 SHA-1 hex chars (k-anonymity).

Breach data is provided by HaveIBeenPwned - an independent service by Troy Hunt, aggregating public password breaches since 2013.

Check whether your password has leaked in any public data breach. We query HaveIBeenPwned - an aggregate of 800+ breaches containing 850M+ unique passwords. Your full password never leaves the browser: we SHA-1 it locally, send only the first 5 hex characters to the API (k-anonymity), and match the rest in your tab.

How to check a password

Type the password in the field. It is hidden by default - click the eye icon to reveal.
Click "Check" or press Enter.
Wait 1-2 seconds. The result appears as green (safe) or red (found in breaches, with the count).
If pwned - change it immediately on every account that uses it. Generate a new, never-leaked replacement in our password generator, then run the password strength estimator to confirm it survives common attacks.

Use cases

Verify whether a password you've used for years sits in a public breach. Audit company passwords before tightening policy. Verify a password generated elsewhere. Check whether an old password from your manager is still safe or compromised long ago.

Frequently asked questions

Yes. SHA-1 hashing happens locally via the Web Crypto API (crypto.subtle.digest). We send only the first 5 hex chars of the digest to the HaveIBeenPwned API. The API returns ~800 hashes starting with that prefix and the match against your hash happens locally. Open DevTools Network - you'll see only a /range/A1B2C request where A1B2C is the public prefix.

Related tools

Password Generator

Create strong, cryptographically random passwords - entirely in your browser.

Password Hashes: MD5, SHA, bcrypt

16 hash algorithms: MD4, MD5, SHA, SHA-3, RIPEMD, MySQL, NTLM, HMAC, bcrypt - with optional salt.