Password Breach Checker
A breach checker built on the Have I Been Pwned k-anonymity API — the same protocol behind 1Password Watchtower, Bitwarden Reports, Firefox Monitor, and Chrome's built-in compromised-password warning. Your password is hashed locally, and only a 5-character prefix of that hash is sent to HIBP. The server returns ~500 candidate hashes that share that prefix and your browser does the matching — so your actual password and full hash never leave the device. HIBP indexes 850M+ unique compromised passwords across breaches like LinkedIn, Adobe, Collection #1 and hundreds more.
How to use
Click the field and type or paste. The check runs on submit, not on every keystroke.
Your browser hashes the password locally and sends only the first 5 characters of the hash to HIBP, which returns ~500 candidates to match against.
Either "not found" or "seen N times". If found, change the password everywhere it is reused.
Use our password generator or passphrase generator for a unique, strong replacement.
Look up your password in the Have I Been Pwned breach database via the k-anonymity protocol
Features
FAQ
What exactly is sent to HIBP?
Just a 5-character prefix of your password's hash — nothing else. That prefix collides with about 500 different passwords, so HIBP literally cannot tell which one you checked. No cookies, no account.
What is k-anonymity?
A privacy model where your query is mixed in with k other indistinguishable queries. Sending a 5-character hash prefix means your lookup is one of ~500 — the server cannot uniquely identify what you searched for.
Why use a hash function known to be broken?
The relevant attack against SHA-1 is collision-finding (forging two different files with the same hash). The k-anonymity protocol does not depend on that — it only needs the function to spread passwords evenly across prefix buckets, which SHA-1 does fine. Same reason HIBP, 1Password and Firefox Monitor all still use it for this specific lookup.
Where does the breach data come from?
Troy Hunt's Have I Been Pwned project (haveibeenpwned.com), the de facto standard breach corpus. 850M+ unique compromised passwords aggregated from 850+ disclosed breaches and curated lists.
My password is not in the database — is it strong?
Not necessarily. It just means it has not appeared in a published breach yet. A short or predictable password can still be cracked by brute force in seconds. Run it through the strength checker too.
What should I do if it is breached?
Stop using it immediately. Credential-stuffing bots try every breached password against every login form they can find — reuse is what gets accounts taken over. Generate a unique replacement for every site, switch to a password manager (Bitwarden, 1Password, KeePass), and enable 2FA wherever possible.
Why use this if my password manager already audits for breaches?
For one-off checks — a password you saw in a leak post, a colleague's "is this safe?" question, or a password you haven't put in a manager yet. If you already use 1Password Watchtower or Bitwarden Reports for your whole vault, you don't need this for those.
We can — and it's free! Just send us a quick message with your idea. If you'd like to discuss it in detail, leave your email and we'll get back to you. You can stay anonymous.
