Check password breach exposure using Have I Been Pwned k-anonymity range API.
Updated
Uses Have I Been Pwned k-anonymity API.
Only first 5 SHA-1 chars are sent; full password stays local.
Quick start
Run HIBP k-anonymity check locally from password hash prefix.
Type password to test against breach corpus.
Tool sends only SHA-1 prefix to HIBP API.
If matched, rotate password and enable MFA.
In-depth guide
This tool tells you whether a password has appeared in a known data breach, using the Have I Been Pwned Pwned Passwords service. It is built around k-anonymity, so your password — and even its full hash — never leaves your browser. Only the first five characters of a SHA-1 hash are sent, and the match is finished locally.
Your browser hashes the password with SHA-1 and sends only the first 5 hex characters of that hash to the API. The service returns every breached hash that shares those 5 characters — hundreds of candidates — and your browser checks the rest of the hash against that list. The server never learns which password, or even which full hash, you were testing.
A high count means the password is widely known to attackers and is a prime target for credential-stuffing. A zero result is reassuring but not a guarantee of future safety — it only means the password is not in this corpus yet. In a product, screen new passwords against this list at signup and reset, and pair it with multi-factor authentication.
This is the one tool here that makes a network request, and it is deliberately privacy-preserving. If you would rather check a password with no network call at all, avoid entering your most sensitive credentials and treat the result as advisory.
Use this tool for quick browser-based work when you need an answer or output immediately. Use a dedicated application or automated workflow when you need bulk processing, approvals, or repeatable production rules.
No. Your browser hashes it with SHA-1 and sends only the first 5 characters of that hash (the k-anonymity model). The rest is matched locally.
The Have I Been Pwned Pwned Passwords range API, over HTTPS. It returns many candidate hashes that share your 5-character prefix.
It is how many times that password has appeared across known breaches. A high count means it is widely known to attackers and a prime credential-stuffing target.
No. Zero means it is not in this corpus yet, not that it is safe forever. Still prefer long, unique passphrases and enable multi-factor authentication.
The server only ever sees a 5-character hash prefix shared by hundreds of passwords, so it cannot tell which password — or even which full hash — you tested.
The protocol is privacy-preserving, but if you prefer zero network exposure, avoid testing your most critical credentials and treat the result as advisory.
Keep exploring
Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.
Encrypt and decrypt text locally with AES-256-GCM and passphrase-derived keys.
Generate signed HS256 JWTs from custom header and payload JSON locally.
Generate 6-digit rolling TOTP codes and otpauth URIs from Base32 secrets.
Shrink PDF file size without uploading to a server.
Body Mass Index with metric / imperial inputs and WHO category bands.
Combine multiple PDFs into one in your browser.
Split a PDF by pages or page ranges, download as zip.