toololis
🛡️

Password Breach Checker

Check if your password has been in a data breach

🔒
Your password stays on your device
We use k-anonymity: only the first 5 chars of your password's SHA-1 hash are sent to HaveIBeenPwned. Neither they nor we ever see your full password.
📚
Learn more — how it works, FAQ & guide
Click to expand

Free password breach checker — HaveIBeenPwned integration

Check if your password has been leaked in a data breach. Uses HaveIBeenPwned\'s k-anonymity API — your password never leaves your device. Database contains 850M+ leaked passwords from real breaches.

How to use this tool

  1. 1

    Type your password

    Enter the password you want to check. We hash it locally — only the first 5 characters of the hash ever leave your browser.

  2. 2

    Check against breach database

    We query HaveIBeenPwned's k-anonymity API — the world's largest leaked password database (850M+ breached passwords).

  3. 3

    If leaked: change immediately

    Any password showing as leaked = change it everywhere you use it. Leaked passwords are in attacker dictionaries.

What to do if your password is breached

  1. Change it immediately at every site where you use it
  2. Never reuse passwords across sites — use a password manager
  3. Enable 2FA on email, banking, social accounts
  4. Generate new passwords with our Password Generator (16+ chars, all categories)

Frequently Asked Questions

Is my password sent to anyone?
No — thanks to k-anonymity. We SHA-1 hash your password locally, send only the first 5 characters of the hash to HaveIBeenPwned's API. They return all hashes starting with those 5 chars. Your full hash (and password) never leave your device.
What is HaveIBeenPwned?
The largest public database of leaked passwords and accounts, maintained by security researcher Troy Hunt since 2013. Contains 850M+ passwords from real data breaches (LinkedIn, Adobe, Yahoo, etc.).
If my password isn't in the DB, is it safe?
Safer, but not guaranteed. New breaches happen daily. A "not leaked" result means it's not in known public breaches — doesn't prevent future leaks. Use unique passwords per site + password manager.
My password was leaked 100 times — meaning?
It appeared in 100 breach records. Common passwords like "123456" appear millions of times. Any number > 0 = attackers have this password in their dictionaries. Change it.
Why SHA-1 and not SHA-256?
HaveIBeenPwned uses SHA-1 for historical reasons. Despite SHA-1 being cryptographically weak, it's fine for this use — the password is still k-anonymous (5-char prefix = 1-in-1M lookup).
Can I test multiple passwords?
Yes, one at a time. We never log what you test. Each check is independent.

You might also like

JSON Formatter

Format, validate & minify JSON in your browser

Open

Regex Tester

Test regular expressions in real-time

Open

Base64 Encoder / Decoder

Encode or decode Base64 instantly

Open
🔒
100% Privacy. This tool runs entirely in your browser. Your data is never uploaded to any server.