Free Tool
Password Breach Checker
Find out if a password has been exposed in a known data breach — without ever sending it to a server.
Your password is never sent. Only the first 5 characters of a SHA-1 hash are transmitted to the HaveIBeenPwned API. The matching check happens entirely in your browser.
About this tool
What is HaveIBeenPwned?
HaveIBeenPwned (HIBP) is a free service that aggregates billions of credentials leaked from data breaches. When attackers publish stolen password databases, researchers add them to HIBP so individuals can check exposure without creating new risk.
How k-anonymity keeps your password private
This tool hashes your password with SHA-1 in your browser, then sends only the first 5 characters of that hash to the API. The API returns all hashes starting with those 5 characters — the match check happens locally. Your full password never leaves your device.
What to do if your password is found
Change it immediately on every site where you use it. Enable MFA on all those accounts. Consider a password manager (1Password, Bitwarden) to generate and store unique passwords — so a breach at one service can't compromise others.
What makes a strong password
NIST 800-63B guidance: length matters most. Aim for 12+ characters. A passphrase like "correct-horse-battery-staple" is stronger than "P@ssw0rd!". Use a password manager to generate and remember them — you should only need to memorize one master password.