Privacy Protected
Your password never leaves your browser and is not sent to our website or any server. The password is hashed locally, and only the first 5 characters of that hash are sent to Have I Been Pwned for verification (k-Anonymity). Your actual password cannot be determined from this partial hash.
How It Works
1. Your password is hashed locally using SHA-1
2. Only the first 5 hex characters are sent to Have I Been Pwned
3. The API returns all matching hash suffixes
4. We check locally if your hash suffix is in the list
Type a password and click "Check Password" to see if it has been exposed in any known data breaches.
What Does This Mean?
If your password appears in a breach, it means the exact password has been found in leaked databases. Attackers use these lists in credential stuffing attacks. Even if the breach wasn't from a service you use, you should change this password everywhere it's used.
Recommendations
Use unique passwords for every account. Consider using a password manager to generate and store strong, unique passwords. Enable two-factor authentication (2FA) wherever possible for additional security.