Skip to content
Kordu Tools
Security & Privacy Runs in browser Privacy Updated 30 Mar 2026

Password Breach Checker

Check if a password appeared in known data breaches using k-anonymity. Only the first 5 SHA-1 hash characters are sent — your password never leaves your browser.

Your password never leaves your browser

We use k-anonymity — only the first 5 characters of a SHA-1 hash are sent to the Have I Been Pwned API. Your full password is never transmitted to any server.

Strengthweak

Not found in any known data breaches

This password has not appeared in any of the data breaches indexed by Have I Been Pwned. This does not guarantee it is secure — always use a unique password for each account.

Found in data breaches

This password has been seen 0 times in known data breaches. You should change it immediately and avoid reusing it anywhere.

Check failed

Checking against breach database...

Enter a password above and click Check to see if it has appeared in any known data breaches.
Loading rating…

How to use Password Breach Checker

  1. Enter your password

    Type or paste the password you want to check into the secure input field. Click the eye icon to toggle visibility.

  2. Click Check

    Press the Check button. The password is hashed with SHA-1 locally and only the first 5 hex characters are sent to the Have I Been Pwned API.

  3. Review the breach result

    See whether the password appears in any known breach database and, if so, how many times it has been seen. Even one occurrence is cause for concern.

  4. Check the strength meter

    Review the strength indicator for additional context on the password's entropy and complexity independently of its breach status.

  5. Generate a new password if needed

    If your password was found in breaches or is weak, use the Password Generator to create a strong replacement.

Password Breach Checker FAQ

Is my password sent to a server?
No. Your password is hashed locally using SHA-1 via the WebCrypto API. Only the first 5 characters of the hexadecimal hash are sent to the Have I Been Pwned API. This k-anonymity model makes it mathematically infeasible to reconstruct your password from the 5-character prefix.

Is this tool safe to use?
Yes. The k-anonymity protocol was designed specifically so that the service provider cannot determine which password you are checking. Even if the HIBP API were compromised, only a 5-character hash prefix would be exposed — not your password.

Are inputs sent to a server?
Only a 5-character SHA-1 hash prefix is sent to the HIBP Pwned Passwords API. Your full password and complete hash remain local to your browser. The matching check is done entirely client-side.

What does k-anonymity mean?
K-anonymity means the API receives a hash prefix that matches hundreds of other hashes, so it cannot determine which specific password you are checking. Your full hash never leaves your browser — only a prefix that is shared by 500–1000 other entries in the database.

Should I change my password if it appears in a breach?
Yes. If a password has appeared even once in a breach database, attackers may include it in credential-stuffing attacks against any service you use it on. Change it immediately and use a unique, randomly generated password for every account.

Why does this use SHA-1 if SHA-1 is considered weak?
The HIBP Pwned Passwords API indexes passwords by SHA-1 hash. SHA-1's weaknesses apply to collision resistance used in digital signatures and certificates — not to this hash-prefix lookup use case. Your password's security does not depend on SHA-1 here; the hash is only an index key.

What is the Have I Been Pwned database?
Have I Been Pwned (HIBP) is a service created by Troy Hunt that aggregates compromised credentials from thousands of known data breaches. The Pwned Passwords dataset contains over 800 million unique passwords sourced from real-world breaches. It is the industry standard for credential breach checking.

Does 'not found' mean my password is secure?
Not found means the password has not appeared in indexed breach databases, but it does not guarantee security. A password could still be weak, guessable, or used across multiple accounts. Check the strength meter and use the Password Generator to create a strong replacement.

How often is the HIBP database updated?
Troy Hunt updates the Pwned Passwords dataset regularly as new breaches are discovered and processed. Major breaches are typically incorporated within days to weeks of public disclosure.

Background

Verify whether a password has been exposed in any known data breach using the Have I Been Pwned Pwned Passwords API — the industry standard for breach database lookups with over 800 million compromised passwords.

How k-anonymity works: Your password is hashed locally with SHA-1 via the WebCrypto API. Only the first 5 hex characters of that hash are sent to the HIBP API. The API returns all hashes matching that prefix (typically 500–1000 entries). Your browser then checks locally whether the full hash appears in the returned list. Your password and full hash never leave your device.

What the results mean:

  • Found N times — the password appears in breach databases. Even one occurrence means attackers include it in credential-stuffing attacks. Change it immediately and use a unique password for every account.
  • Not found — the password has not been seen in indexed breaches. This does not guarantee it is unguessable — also check the strength meter.

Strength meter: A built-in entropy-based strength indicator evaluates password complexity independently of breach status.

Privacy: Your password is never transmitted. The k-anonymity model makes it mathematically infeasible to reconstruct your password from the 5-character prefix sent to the API.

Related tools

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files instantly in your browser.

SHA-256 Hash Generator

Generate SHA-256 hashes from text instantly. WebCrypto hardware-accelerated, real-time output. Used in Bitcoin, TLS, and digital signatures. Zero uploads.

Bcrypt Hash Generator

Generate bcrypt hashes with configurable cost factor (4–31). Auto-salted, rainbow-table resistant, fully browser-based. Recommended for secure password storage.

Learn more

security

How Long Does It Take to Crack a Password in 2026?

See real password crack times by length and character set, from 4 to 20 characters, plus the defenses that actually matter.

security

Passkeys vs Authenticator App vs SMS: Best 2FA in 2026

Passkeys, authenticator apps, SMS, push, and security keys compared. See phishing resistance, SIM-swap risk, and the best 2FA choice for each account.