Find out if a password has shown up in known data breaches. Thanks to k-anonymity, your password and even its full hash never leave your browser — only a 5-character fragment is ever shared.
How this stays private: your browser computes the SHA-1 hash locally and sends only the first 5 characters of it to our server, which relays them to the breach database. The database returns thousands of possible matches and the comparison finishes in your browser — your actual password and its full hash never leave your device.
This tool uses the k-anonymity model popularized by Have I Been Pwned. Your browser hashes the password with SHA-1, keeps the full hash to itself, and sends only the first five characters. The breach service returns every hash suffix that shares those five characters — often hundreds or thousands — and your browser checks locally whether yours is among them. Nobody on the network can tell which password you actually checked.
The design means you don't have to fully trust anyone: the full password and hash stay on your device, and only a fragment shared by countless other passwords is ever transmitted. Still, as a habit, prefer checking passwords you're retiring, and if any password shows up as breached, replace it everywhere immediately.