← Home

Is My Password Pwned?

Audit your password against 1 billion+ leaked credentials — zero-knowledge, free, instant

100% Client-Side · No Data Stored · Your password never leaves your device

Enter a password to check

Uses k-anonymity: only the first 5 characters of a SHA-1 hash are sent to the API. The actual password is never transmitted. Powered by Have I Been Pwned.

How It Works: k-Anonymity

This checker uses a technique called k-anonymity so your password is never sent over the internet — not even to the API. Here is what happens when you click "Check Password":

Hash in your browser

Your browser converts the password into a SHA-1 hash entirely locally. The password itself is never sent anywhere.

Send only 5 characters

Only the first 5 characters of the 40-character hash are sent to the HIBP API — not enough to reverse-engineer your password.

Match locally

The API returns ~500 matching hash suffixes. Your browser checks them locally. If your hash is in the list, the password is compromised.

Why SHA-1? The HIBP Pwned Passwords database uses SHA-1 hashes. This is not used for security — it is purely a lookup mechanism. The k-anonymity model ensures that neither HIBP nor any third party ever sees your actual password.

What Does "Pwned" Actually Mean?

Finding your password in this database does not mean your account was hacked. It means this exact password appeared somewhere in a data breach — even if it wasn't your account that was leaked. It may have been used by someone else, or on a site you (or anyone) used that was later hacked.

Think of it this way: the password sunshine123 was used by millions of people. When one of those sites was breached, that password ended up in the database — but not because you specifically were targeted.

So why does it matter? Attackers take breach databases and automatically try every password on them against thousands of sites — banks, Gmail, Amazon, social media. This is called credential stuffing. The more times a password appears in the database, the more likely it is already on every attacker's active list. If you use that password anywhere, it will be tried against your accounts.

In short: a password not in the database is safer to use. A password that appears hundreds of thousands of times is almost certainly being actively tested against accounts right now.

What to Do If Your Password Is Found

Change it immediately on every site where you use it

Attackers use automated tools to try breached passwords across thousands of sites simultaneously. Do not reuse passwords.

Use a password manager to generate unique passwords

Tools like Bitwarden (free), 1Password, or Dashlane generate and store strong, unique passwords for every site automatically. Most also include built-in breach monitoring — they will alert you if one of your saved passwords appears in a new breach.

Enable two-factor authentication (2FA)

Even if your password is compromised, 2FA blocks most automated account takeover attempts. Use an authenticator app rather than SMS if possible.

Consider passkeys where available

Passkeys replace passwords entirely — they cannot be phished, reused, or found in a breach database. Where a site supports them, they are a stronger option than any password.

Check your email for breaches too

A compromised password is often linked to a specific account. Check whether your email address was exposed in any breach.

What Makes a Strong Password

Most compromised passwords follow predictable patterns. Here is what separates a strong password from one that ends up in breach databases:

✓ Use a passphrase

4+ random words (e.g. "correct-horse-battery-staple") are long, memorable, and extremely hard to crack — better than complex short passwords.

✓ Minimum 16 characters

Length is the single most important factor. A 16-character random password takes centuries to brute-force, even with modern hardware.

✗ Avoid common substitutions

Replacing "e" with "3" or "o" with "0" (e.g. "P@ssw0rd") is well-known to attackers and provides minimal additional security.

✗ Never reuse passwords

When one site is breached, attackers immediately test the same credentials everywhere else. One breach can cascade into dozens of compromised accounts.

US users: Credential stuffing is a top attack vector. The US sees the most credential stuffing attacks globally. Attackers buy breach databases containing billions of username/password pairs and run automated scripts against banking, email, and shopping sites — often within hours of a breach being published on the dark web.

How Passwords End Up in Breach Databases

Passwords become compromised in several ways:

Database breaches: A website storing your password (ideally hashed, sometimes in plaintext) is hacked and the data is leaked or sold.
Phishing: You are tricked into entering your password on a fake site that captures it directly.
Malware / keyloggers: Software on your device records keystrokes, including passwords as you type them.
Credential stuffing: Attackers reuse passwords from older breaches to break into newer accounts.

The HIBP Pwned Passwords database currently contains over 1 billion passwords collected from real-world breaches. If your password appears even once, it means it was in a breach and is being actively used by attackers.

The Verdict: One Password Change Can Prevent Disaster

If your password appears in this database, change it now. It does not matter how many times it appears — once is enough for it to be in every credential stuffing list used by attackers today.

The two-step defense: Use a password manager to generate a unique 20+ character password for each site, and enable 2FA on every account that supports it. These two steps eliminate the vast majority of automated attacks.

Also check your email: Compromised passwords are almost always linked to exposed email addresses. See if your email was in a breach to understand the full picture.

Check Your Email for Breaches →