Check whether your password has appeared in known data breaches.
This tool checks whether your password has appeared in known data breach databases, using the Have I Been Pwned API. The database contains billions of compromised passwords from real-world breaches.
To protect your privacy, k-anonymity is used: the SHA-1 hash of your password is computed, and only the first 5 characters out of 40 are sent to the API. The response contains all hashes with that same prefix. The check whether your specific password is compromised happens locally — the full hash never leaves the server.
This tool uses the public API of haveibeenpwned.com by Troy Hunt.
Change the password immediately on every site where it is used. Create a new password — long, unique, with a random mix of letters, digits and symbols. Enable two-factor authentication (2FA) on all critical services: email, social media and banking.
No. The tool uses k-anonymity: only the first 5 characters of your password's SHA-1 hash are sent to the API. The full hash is compared locally in the browser. Your actual password never leaves your device and cannot be intercepted or stolen.
The tool uses the official Have I Been Pwned (HIBP) database, which is regularly updated and contains billions of records from public breaches. If a password is found, it is definitively compromised. If not found, it is absent from known databases — but this does not guarantee it is completely safe.