Utility
Popular S complexity

Password Breach Check.

Uses HaveIBeenPwned k-anonymity: only the first 5 characters of your SHA-1 hash leave your browser. The full password never does. See how many known breaches contain your password.

Free Runs in your browser Data: HaveIBeenPwned (k-anon)
Step 1 of 3Breach Checker
x
Enter your password
Your password never leaves your device

Understanding your results.

The tool shows two things:

  • How many times your password has appeared in known data breaches
  • The time range of the breaches it was found in (recent vs historical)

If your password appears in any breach, it means that password was exposed in a real-world security incident and could be used in credential-stuffing attacks. Change it immediately.

Common mistake: assuming a password is safe just because it wasn\'t found in this database. HIBP only contains passwords from known, publicly leaked breaches. A password could be compromised through phishing, keyloggers, or breaches that haven\'t been disclosed yet.

How to use this tool.

Type a password you want to check. The tool hashes it in your browser with SHA-1 and searches the Have I Been Pwned password database — over 800 million real-world breached passwords. Results appear in under a second.

Your full password never leaves this device. Only the first 5 characters of the SHA-1 hash are sent to HIBP's k-anonymity API, which returns a list of matching hash suffixes. The check happens locally. Nothing is logged or transmitted beyond that partial hash prefix.

Pro tip: if a password you use appears in a breach, change it immediately on every account that uses it. Switch to a password manager with unique passwords per site. The password generator can help you create strong replacements.

Affiliate disclosure: Some links on this page are affiliate links. If you click through and make a purchase, AHCrypto may earn a commission at no additional cost to you. We only recommend services we have tested and verified.

Privacy & safety.

K-anonymity protects your password. This tool uses the same k-anonymity protocol that Firefox and 1Password use. Your full password is never sent over the network. Only the first 5 characters of a SHA-1 hash are transmitted. The API returns hundreds of possible matches, and the final check happens locally in your browser.

No logging, no storage. We do not log, store, or transmit the passwords you check. The page does not use cookies, sessions, or tracking of any kind.

Best practice: use unique passwords for every account. Never reuse passwords across services. A password manager makes this practical — we recommend Bitwarden (free) or 1Password.

Frequently asked questions.

How does the breach check work without sending my password?
The tool uses a technique called <strong>k-anonymity</strong>. Your password is hashed with SHA-1 in your browser. Only the first 5 characters of that hash are sent to the HaveIBeenPwned API. The API returns a list of all hash suffixes that match those 5 characters (typically 50–500 results). Your browser then checks if the full hash appears in that list. Your full password or full hash never leaves this device.
What is k-anonymity and why is it safe?
K-anonymity means your data is indistinguishable from at least k-1 other records. In this context, when we send only the first 5 hash characters, the API returns hundreds of possible suffixes. An attacker seeing the request cannot determine which suffix belongs to you. Even if the API were malicious, it could only learn that your password's hash starts with those 5 characters — which is not enough information to reconstruct the password or even narrow it down significantly.
What should I do if my password appears in a breach?
Change it immediately on every account that uses it. Then: (1) enable two-factor authentication (2FA) on all supported accounts, (2) check if the breach exposed other data like your email or phone number, (3) use unique passwords for every account — a password manager makes this practical, (4) consider freezing your credit if a breach exposed personal information.
How many passwords does HaveIBeenPwned have?
As of 2026, the HIBP password database contains over 800 million real-world passwords exposed in data breaches. The database is sourced from publicly leaked data — every password that appeared in a known breach is included. If your password is in this database, it should be considered compromised and changed immediately.
Is it safe to type my password into this tool?
Yes. The password never leaves your browser. Only a partial hash (5 characters of a SHA-1 hash) is sent over the network — not the password itself. HIBP's k-anonymity API was designed specifically for this use case and is used by major browsers (including Firefox and 1Password) for breach detection. That said, for maximum safety, avoid using this tool on public or untrusted computers.
What is SHA-1 and is it secure enough for this?
SHA-1 is a cryptographic hash function. While SHA-1 is considered broken for some security use cases (like certificate signing), it is perfectly adequate for this application because we only use it to look up the hash prefix — nobody is trying to reverse the hash. HIBP uses SHA-1 because it allows quick prefix lookups. The password is never transmitted, so the hash quality is irrelevant to your security.
Can I check passwords for family members?
Yes. The same k-anonymity protection applies regardless of who enters a password. However, encourage them to enter the passwords themselves on their own device. If you enter someone else's password on your device, you learn their password — which defeats the security purpose.
Related guides

Read the guide.

Best Hardware Wallets for Crypto Security 2026
WALLETS & SECURITY

Best Hardware Wallets for Crypto Security 2026

9 min read
How to Choose a Safe Crypto Trading Bot
TRADING

How to Choose a Safe Crypto Trading Bot

9 min read
How to Set Up Your First Crypto Wallet in 10 Minutes
WALLETS & SECURITY

How to Set Up Your First Crypto Wallet in 10 Minutes

9 min read
More tools

You might also like.

Hot XS
Utility

Is This a Scam?

Paste a DM, URL, or offer. We flag the red flags.

Heuristic (no API) Try it
S
Utility

ISS Live Tracker

Where is the space station right now?

Open Notify Try it
XS
Utility

Secure Password & Seed Generator

Random passwords, passphrases, BIP-39 seeds. Client-side.

crypto.getRandomValues (browser) Try it
Hot S
Crypto

Swap Fee Comparator

See which service costs you less, in seconds.

CoinGecko Try it