Password Breach Check
Check if a password has appeared in a known data breach. Your password is hashed locally and never transmitted โ this is how a privacy-respecting security tool should work.
๐ Your password is never sent anywhere. It's hashed locally in your browser and only the first 5 characters of the hash are transmitted โ a technique called k-anonymity.
How k-anonymity works
Hashed in your browser
Your password is converted to a SHA-1 hash locally using the Web Crypto API. It never leaves your device in plain text.
Only 5 characters transmitted
The first 5 characters of the hash are sent to Have I Been Pwned. This is the k-anonymity model โ mathematically impossible to reverse to your original password.
Matched against 900M+ records
HIBP returns all breach hashes starting with those 5 characters. Your browser checks the rest locally โ the match never touches any server.
What makes a strong password
- โAt least 16 characters โ length matters more than complexity
- โUnique per site โ reuse is the most common attack vector
- โRandom, not memorable phrases โ attackers know your pop culture references
- โUse a password manager โ you should not be able to remember all of them