Has my password leaked?
Check if a password leaked, without ever sending it (k-anonymity).
- Instant
- Free
- Private (processed locally)
- No sign-up
Check a breach without revealing your password
Type a password: the strength meter updates live, then run the breach check. Thanks to k-anonymity, your password never leaves your device.
-
Type a password
Strength is shown.
-
Run the check
Against known breaches.
-
Read the verdict
Compromised or not.
How privacy is preserved
- The SHA-1 hash is computed in your browser
- Only the first 5 characters of the hash are sent
- The service returns a list; the final match is local
- No password and no personal data is transmitted
Example
| Item | Value |
|---|---|
| Tested password | “password” (example) |
| Status | Compromised |
| Appearances | millions of times |
| Source | Pwned Passwords (k-anonymity) |
Your password is never sent. Check your important accounts, change any compromised password and enable two-factor authentication.
Frequently asked questions
Is my password sent?
No, never. Your browser computes the password’s SHA-1 hash and only sends its first 5 characters to the service, which returns all matching suffixes. The final comparison happens on your device: this is the “k-anonymity” model.
Where does the data come from?
From Pwned Passwords (the Have I Been Pwned project), a database of several hundred million passwords from real breaches. The API is free and needs no key.
What does the number mean?
The number of times this exact password appeared in known breaches. The higher it is, the more common — and dangerous — the password is, since attackers try those first.
What if it isn’t found?
That’s reassuring but not an absolute guarantee: it could be in a breach not yet indexed. Always use long passwords, unique per site, and enable two-factor authentication.