Password Pwned Checker

πŸ” Password Breach Checker

Anonymously check if your password has appeared in known data breaches via HaveIBeenPwned. Uses k-anonymity protocol β€” only the first 5 characters of your password hash are sent.

πŸ“Š About Password Breaches

A data breach occurs when a website's database is compromised or accidentally exposed, leaking user passwords, emails, and other sensitive information. Regularly checking passwords against known breaches is a vital security habit.

πŸ“– Frequently Asked Questions

Is it safe to check my password here? Will my password be leaked?

Absolutely safe. This tool uses HaveIBeenPwned's k-anonymity API, which only sends the first 5 characters of the SHA-1 hash of your password. Your full password or full hash is never transmitted. Even if the API server is compromised, your password cannot be reconstructed. All processing is done locally in your browser.

What should I do if my password has been pwned?

If your password appears in known data breaches: 1) Change it immediately on all affected websites; 2) Use a strong, unique password generated by a password generator; 3) Enable two-factor authentication (2FA); 4) Never reuse the same password across different websites. Consider using a password manager.

What is k-anonymity API?

K-anonymity is a privacy-preserving technique used by HaveIBeenPwned. Your password is SHA-1 hashed locally, and only the first 5 characters of the hash are sent to the API. The API returns all full hashes starting with those 5 characters. The complete matching is done locally. This way, your full password hash never leaves your device.

Does a positive result mean my password is definitely compromised?

Yes, if there's a match, it means this password has appeared in at least one known data breach. However: 1) This means the password was exposed, not necessarily that it's being actively used maliciously; 2) Some old breached passwords may no longer be active. For security, any matched password should be changed immediately.

Do I need to pay for HaveIBeenPwned API?

No. HaveIBeenPwned's k-anonymity API is completely free and public, requiring no API key. This tool is entirely free to use with no hidden charges.

What's the difference between a leaked password and a weak password?

A leaked password has been exposed through a data breach or website compromise. A weak password lacks sufficient strength (like '123456'). They're different issues: a strong password can still be leaked through a breach; a weak password should be changed even if not leaked. Use both password strength checking and breach checking for complete security.