Has Your Password Been Leaked?
Check any password against billions of leaked credentials. Your password is hashed in your browser - we never see it.
Your password is hashed with SHA-1 inside your browser. Only the first 5 characters of the hash (about 100,000 possible prefixes) are sent to the breach-check service. Even the service operator cannot reverse this back to your password - this technique is called k-anonymity.
The password field is cleared the moment you click Check, for your safety.
How does this work?
The privacy-preserving math behind a breach lookup.
- You type a password. It stays in this browser tab. Nothing is sent yet.
- Your browser computes a SHA-1 hash. SHA-1 is a one-way function: the hash cannot be reversed back to your password.
- Only the first 5 hex characters of the hash leave your device. That prefix matches roughly 500 different passwords on average - a single needle in a small haystack.
- The server replies with every breached hash that shares your prefix. Your browser scans the list locally to find the match (if any) and reports the breach count.
A "found" result means an identical password exists in at least one public credential dump - it is unsafe to keep using anywhere. A "not found" result means no exact match in this dataset, but it does not certify the password as strong on its own.
Found in a breach? Do this next.
A short recovery checklist if your password was leaked.
- Stop using this password everywhere - on every site, not just one.
- Generate a fresh, long, unique password (16+ characters, mixed types).
- Store it in a password manager (KeePassXC, 1Password, Bitwarden) so you never have to remember it.
- Turn on two-factor authentication (2FA) for any account that supports it.
- Watch your email - leaked credentials are often combined with other personal data in further breaches.