Loading
Sign in to access editorial features
Get the latest articles & tutorials in your inbox
Loading
Free online tool
Check whether a password appears in known breach data without sending the password or its full hash.
Privacy-preserving lookup
Your password stays in this browser. It is hashed locally. Only the first five characters of that hash are shared with Have I Been Pwned, and the final comparison happens here.
Enter a password and select Check password to begin.
Your browser converts the password to a SHA-1 lookup hash, then sends only its first five characters to the Pwned Passwords range service. The service returns many possible hash endings. Your browser compares the remaining 35 characters locally. This k-anonymity approach means the service does not receive the password or its complete hash, though it should not be described as complete anonymity.
SHA-1 is used here only because the corpus is indexed by it. It is not secure password-storage guidance.
Foundmeans the same password appears in HIBP's known corpus; the count records corpus occurrences, not your affected accounts. Change it anywhere it was used. Not found means only that it was absent from the corpus when checked—not that it is safe. Always prefer a long, unique password, a reputable password manager, and multi-factor authentication.
This checker searches passwords only. It does not search email addresses, usernames, phone numbers, or domains. Results depend on the availability and current contents of the external corpus.
Breach-password data is provided by Have I Been Pwned: Pwned Passwords. Read our privacy policyfor the site's broader data practices.
Privacy: The password and full hash never leave your browser. Only a five-character hash prefix is sent directly to HIBP; this page loads no advertising or third-party analytics scripts.
No. Your browser converts it to a SHA-1 lookup hash locally. Only the first five hash characters are sent directly to Have I Been Pwned; the full comparison happens in your browser.
The Pwned Passwords corpus is indexed by SHA-1, so this checker uses it only as a lookup key. SHA-1 is not suitable for storing passwords; services should use a dedicated, salted password-hashing algorithm.
No. It only means the password was not present in the corpus at the time of this check. It could still be weak, reused, newly exposed, or known to an attacker.
It is the number of times that password appears in the current HIBP Pwned Passwords data. It is not a count of your accounts or proof of which breach contained it.
Change it everywhere you used it, give every account a unique password, use a reputable password manager, and enable multi-factor authentication where available.
The checker shows that no result was produced. It does not silently use another provider. You can retry later; the result always depends on HIBP availability and its current corpus.