Is my password sent to any server?

No. Your password is hashed with SHA-1 in your browser. Only the first 5 characters of the hash (the "prefix") are sent to the Have I Been Pwned API. The API returns all hashes starting with that prefix, and the matching is done locally in your browser. The full password and full hash never leave your device.

k-anonymity is a privacy model that prevents a data query from revealing which specific record you are looking for. In this context, sending only 5 hex characters means the API cannot determine which password you are checking, because thousands of passwords share the same 5-character prefix.

What is Have I Been Pwned?

Have I Been Pwned (HIBP) is a free service run by security researcher Troy Hunt. It aggregates data from hundreds of known data breaches and allows you to check whether a password or email address appears in them.

My password was found — what should I do?

Change the password immediately on every site where you use it. Enable two-factor authentication on those accounts. Use a unique, random password for each account — a password manager makes this practical.

My password was not found — does that mean it is safe?

Not necessarily. A password not found in HIBP may still be weak, guessable, or compromised in a breach that has not been added to the database yet. Use the Password Strength Checker to evaluate its entropy.

Why does this tool require network access while others do not?

The breach database contains billions of hashed passwords — too large to bundle in a browser tool. The k-anonymity API lets you query it without downloading the full dataset or revealing your password.

Does this tool store the passwords I check?

No. This is a static page with no backend. Passwords are processed in memory and discarded when you navigate away. The only network request is to api.pwnedpasswords.com with a 5-character hash prefix.

Can I check email addresses too?

This tool checks passwords only. To check if an email address appeared in a breach, visit haveibeenpwned.com directly.

Privacy Tools /

Password breach check

Check whether a password appears in known data breach databases using the Have I Been Pwned k-anonymity API. Your password is hashed locally — only a 5-character hash prefix is ever sent.

k-anonymity protected. Your password is never sent — only the first 5 chars of its SHA-1 hash.

Password to check

How it works

Your password is hashed with SHA-1 entirely in your browser.
The first 5 hexadecimal characters of the hash are sent to api.pwnedpasswords.com/range/.
The API returns a list of all breach hash suffixes starting with that prefix (typically 500–900 entries).
Your browser checks whether your full hash suffix appears in that list.
The result tells you how many times that exact password appeared in known breaches.

Common use cases

Credential hygiene — audit old or reused passwords before rotating them.
New account setup — verify your chosen password is not in any breach database.
Security training — demonstrate k-anonymity to teams without exposing real passwords.
IT audits — check candidate passwords against breach databases as part of policy enforcement.

Also see: Password Strength Checker to evaluate entropy, and Password Generator to create a secure replacement.

Frequently Asked Questions

Is my password sent to any server?: No. Your password is hashed with SHA-1 in your browser. Only the first 5 characters of the hash (the "prefix") are sent to the Have I Been Pwned API. The API returns all hashes starting with that prefix, and the matching is done locally in your browser. The full password and full hash never leave your device.
What is k-anonymity?: k-anonymity is a privacy model that prevents a data query from revealing which specific record you are looking for. In this context, sending only 5 hex characters means the API cannot determine which password you are checking, because thousands of passwords share the same 5-character prefix.
What is Have I Been Pwned?: Have I Been Pwned (HIBP) is a free service run by security researcher Troy Hunt. It aggregates data from hundreds of known data breaches and allows you to check whether a password or email address appears in them.
My password was found — what should I do?: Change the password immediately on every site where you use it. Enable two-factor authentication on those accounts. Use a unique, random password for each account — a password manager makes this practical.
My password was not found — does that mean it is safe?: Not necessarily. A password not found in HIBP may still be weak, guessable, or compromised in a breach that has not been added to the database yet. Use the Password Strength Checker to evaluate its entropy.
Why does this tool require network access while others do not?: The breach database contains billions of hashed passwords — too large to bundle in a browser tool. The k-anonymity API lets you query it without downloading the full dataset or revealing your password.
Does this tool store the passwords I check?: No. This is a static page with no backend. Passwords are processed in memory and discarded when you navigate away. The only network request is to api.pwnedpasswords.com with a 5-character hash prefix.
Can I check email addresses too?: This tool checks passwords only. To check if an email address appeared in a breach, visit haveibeenpwned.com directly.

Report a problem with this tool