Password Leak Check (Pwned Passwords API)

Type a password to check whether it appears in known data breaches. The check uses Have I Been Pwned's k-anonymity API: your password is hashed with SHA-1 in the browser, only the first 5 hex characters of the hash are sent to the API, and the API returns all matching hash suffixes. Your password never crosses the network.

How to use the Password Leak Check (Pwned Passwords API)

Type or paste a password. Click Check (or press Enter). The tool hashes locally, sends only the first 5 hash characters, and reports whether your password matches a known breach. The Show toggle exposes the input field for visual confirmation.

About Password Leak Check (Pwned Passwords API)

Have I Been Pwned (haveibeenpwned.com) is a free service run by Troy Hunt that aggregates leaked credentials from public data breaches. The Pwned Passwords endpoint exposes a queryable hash database without ever requiring users to send their passwords. The k-anonymity model is the clever part: the API returns all hashes sharing the first 5 hex characters of SHA-1, so any individual password is hidden among ~500 others. The actual password never reaches Troy's servers.

Why does it matter? Attackers buy or scrape breach dumps and try the leaked credentials against other services (credential stuffing). If your password appears in even one major breach, it's on the lists attackers use. The fix is simple: pick passwords that haven't appeared in any breach (this check confirms it). A password manager + long random passwords + unique per site is the gold standard.

Common use cases

• Vet a candidate password before using it for a new account.
• Audit existing passwords — check the ones you reuse most, rotate any that show breaches.
• Educate non-technical users — show them a "123456 has been pwned 38 million times" demo.
• Internal security review — verify your password policy excludes commonly-breached values.