EncryptCodecencryptcodec
Tools/Password Breach Checker

Password Breach Checker

Check if your password has appeared in known data breaches using the Have I Been Pwned database. Uses k-anonymity so your full password is never transmitted.

Your password never leaves your browser — only the first 5 characters of its SHA-1 hash are sent (k-anonymity)
This tool is made possible thanks to Have I Been Pwned by Troy Hunt. Thank you for building the most comprehensive breach database and making it freely available through a privacy-respecting k-anonymity API.

How K-Anonymity Protects Your Password

This tool uses the Have I Been Pwned k-anonymity model. Your full password (or its full hash) is never sent to any server. Here is exactly what happens:

1
Hash locally
Your password is hashed with SHA-1 entirely in your browser using the Web Crypto API.
2
Split the hash
The 40-character hex hash is split into a 5-character prefix and a 35-character suffix.
3
Send only the prefix
Only the 5-character prefix is sent to the HIBP API. This matches ~500 hashes, so the API cannot determine which one is yours.
4
Compare locally
The API returns all hash suffixes matching that prefix. Your browser checks if your suffix is in the list.
5
Result
If your suffix is found, the password has been breached. The full hash never left your device.
password → SHA-1 → 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
Sent to API: 5BAA6  |  Kept local: 1E4C9B93F3F...68FD8

What To Do If Your Password Was Breached

Change the password immediately on every account where you use it.

Use a unique, randomly generated password for each account. A password manager makes this easy.

Enable two-factor authentication (2FA) wherever possible — even a breached password is useless without the second factor.

Check haveibeenpwned.com to see if your email appears in any known breaches.

Never reuse passwords across services. Credential stuffing attacks rely on password reuse.

How it works
Password Breach Check (HIBP k-Anonymity)
01SHA-1 hash

Password hashed locally using the Web Crypto API — produces a 40-character hex digest

02Split prefix

First 5 characters of the hash become the API query — the remaining 35 characters stay local

03API lookup

HIBP Pwned Passwords API returns ~500 hash suffixes matching the prefix — your full hash is never sent

04Local comparison

Your browser compares the remaining 35 characters against the returned list — entirely client-side

05Breach result

If a match is found, the password has appeared in known breaches — the count indicates how many times

Spec: Have I Been Pwned Pwned Passwords API v3, NIST SP 800-63B (Digital Identity Guidelines)

K-anonymity ensures the API sees only the 5-char hash prefix, which matches ~500 passwords. The API cannot determine which password you are checking. Your full password and its full hash never leave the browser.

Frequently Asked Questions