Your password is hashed locally. Only the first 5 chars of the SHA-1 hash leave your device (k-anonymity, HIBP). Learn more

Your privacy is protected: We use k-anonymity to check passwords securely. Only the first 5 characters of your password's hash are sent to the API. Your actual password never leaves your device.

How It Works

1. Secure Hashing

Your password is hashed using SHA-1 in your browser. The actual password never leaves your device.

2. K-Anonymity

Only the first 5 characters of the hash are sent to Have I Been Pwned API for maximum privacy.

3. Instant Results

We compare your hash against 10+ billion compromised passwords and show if it's been breached.

Frequently Asked Questions

How does the password leak checker work?
Our leak checker uses the Have I Been Pwned API to check if your password appears in known data breaches. We use k-anonymity to protect your privacy: only the first 5 characters of your password's hash are sent, and matching is done locally in your browser.
What should I do if my password was found in a breach?
Change it immediately on all accounts where you used it. Data breaches expose passwords to attackers who use them in credential stuffing attacks. Generate a new, unique password for each account and consider using a password manager to keep track of them.
Does checking my password send it to your servers?
No, never. We use SHA-1 hashing and k-anonymity to protect your password. Your actual password never leaves your browser. Only a partial hash prefix is sent to the API, making it impossible for anyone to determine your original password.

Related Tools

Continue your security workflow with these tools