Skip to content

← All tools

Password Leak Checker

Find out if a password has ever appeared in a known data breach. Your password is hashed in your browser and only a short hash prefix is sent to the Have I Been Pwned database — the password itself never leaves your device.

New to this? Read the password leak checker guide →

Your password never leaves your browser. It is hashed locally with SHA-1, and only the first 5 characters of that hash are sent to the Have I Been Pwned range API. The service returns every breached hash sharing those 5 characters (hundreds of them) and the match is completed on your device — a technique called k-anonymity. The API never learns your password or its full hash.

How to use the password leak checker

  1. Type or paste a password and press Check (or enable live checking).
  2. The tool tells you whether that exact password appears in known data breaches, and how many times.
  3. If it has been seen even once, stop using it everywhere and change it — attackers load these lists into password-guessing tools first.

What "found in a breach" means

A hit does not mean your account was breached — it means this password string has appeared in a breach somewhere, so it is now on public cracking lists. A password seen millions of times (like password or 123456) is guessed almost instantly. A password with zero hits is not automatically strong, but at least it is not on a known list; check its strength with the password strength checker and generate a fresh one with the password generator.

Why this is safe to use

Sending a password to a website to "check" it would be reckless. This tool never does that. It computes the SHA-1 hash in your browser and sends only a 5-character prefix, so the server sees a bucket of ~300–500 possible hashes and cannot tell which (if any) is yours. Everything sensitive stays local. Read more about the maths in how long it takes to crack a password.

Frequently asked questions

Is it safe to type my password into a leak checker?

Yes, the way this one works. Your password is hashed locally with SHA-1 and only the first five characters of the hash are sent to the Have I Been Pwned range API. The service returns hundreds of candidate hashes and the match is finished in your browser, so it never learns your password or its full hash.

What does it mean if my password was found in a breach?

It means that exact password string has appeared in a public data breach and is now on password-cracking lists — not necessarily that one of your accounts was hacked. Either way, stop using it: automated attacks try breached passwords first. Change it everywhere and use a unique password per site.

My password was not found — does that mean it is strong?

Not on its own. "Not found" only means it is not on the known breach lists; a short or predictable password can still be weak. Combine this check with a strength estimate and prefer a long, randomly generated password.

Where does the breach data come from?

From the Pwned Passwords set at Have I Been Pwned — over 600 million real passwords aggregated from historical data breaches, queried via its k-anonymity range API.

Related reading

Related tools