KitMul MarkKitMul Text

Check Pwned Passwords

Check if your password has been exposed in known data breaches using the Have I Been Pwned API with k-anonymity protection.

Verify whether your password has appeared in any known data breach without exposing it. This tool uses the Have I Been Pwned API with k-anonymity; only the first 5 characters of the SHA-1 hash are sent over the network. The full comparison happens locally in your browser, so your actual password is never transmitted to any server.

Loading...
Your data stays in your browser
Was this tool useful?
Tutorial

How to Check if Your Password Has Been Pwned

1
1

Enter Your Password

Type or paste the password you want to check into the input field. Your password stays on your device and is never sent to any server.

2
2

Click Check Password

The tool hashes your password with SHA-1 locally, sends only the first 5 hash characters to the Have I Been Pwned API, and compares the rest in your browser.

3
3

Review the Results

If your password was found in breaches, change it immediately on all accounts that use it. If not found, it does not guarantee security; always use strong, unique passwords.

Guide

Complete Guide to Pwned Password Checking

Why Checking for Breached Passwords Matters

Credential stuffing is one of the most common attack vectors today. Attackers take username-password pairs from one breach and try them across thousands of other services. If your password appears in any breach database, every account using that password is at risk. Regularly checking your passwords against known breaches is a fundamental part of personal and organizational security hygiene.

How K-Anonymity Protects Your Privacy

The k-anonymity model, pioneered by Cloudflare and Troy Hunt for the HIBP API, ensures that your full password hash is never transmitted. Your browser computes the SHA-1 hash locally, sends only the first 5 hex characters (the prefix) to the API, and receives back all hash suffixes matching that prefix. Your browser then checks if your full hash suffix appears in the returned set. The server never learns which hash you were actually looking for, preserving your privacy completely.

What to Do When a Password Is Compromised

If a password is found in a breach, change it immediately on every service where you used it. Enable two-factor authentication wherever possible. Consider switching to a password manager that generates long, random passwords unique to each account. Never reuse passwords across services, because a single breach can cascade into multiple account compromises.

Building a Strong Password Strategy

Use a password manager to generate and store unique, random passwords of at least 16 characters for every account. Enable two-factor authentication on all critical accounts. Periodically audit your stored passwords against breach databases. Avoid patterns, dictionary words, and personal information. A strong password strategy combined with regular breach checks dramatically reduces your risk of account compromise.

Sources

Examples

Password Check Examples

Checking a Common Password

A user wants to verify whether the password 'password123' has appeared in breaches.

1

Type 'password123' into the password field

2

Click Check Password

3

The tool reports the password was found in millions of breaches

Password Compromised! This password has been seen in over 250,000 data breaches. Change it immediately.

Checking a Unique Password

A user tests a randomly generated 20-character password from their password manager.

1

Paste the generated password into the field

2

Click Check Password

3

The tool confirms no matches were found

Password Not Found in Breaches. No matches in the HIBP database, though this alone does not guarantee absolute security.

Use Cases

Password Breach Check Use Cases

Audit Your Current Passwords

Check every password stored in your password manager against the breach database. If any appear, rotate them immediately and enable two-factor authentication on those accounts to reduce the risk of credential stuffing attacks.

Validate New Passwords Before Using Them

Before setting a new password on any service, run it through this checker to ensure it has not already been compromised in a previous breach. This adds an extra layer of confidence that your new credential is not sitting in an attacker's dictionary.

Educate Teams on Password Hygiene

Use this tool in security awareness training sessions to demonstrate how common passwords like 'password123' appear in millions of breaches. Seeing real breach counts motivates employees to adopt password managers and stronger credentials.

Frequently Asked Questions

?Is my password sent to any server?

No. Your password is hashed with SHA-1 entirely in your browser. Only the first 5 characters of the hash are sent to the Have I Been Pwned API. The full hash is compared locally, so your actual password never leaves your device.

?What is k-anonymity and how does it protect me?

K-anonymity is a privacy technique where only a small prefix of the hash is sent to the server, which returns all hashes matching that prefix. Your browser then checks for a match locally. This means the server never knows which specific password you are checking.

?What does it mean if my password is found in breaches?

It means your exact password appeared in at least one publicly known data breach. Attackers use these lists for credential stuffing attacks. You should change it immediately on every account where you used it.

?My password was not found. Does that mean it is safe?

Not necessarily. It only means it was not found in the Have I Been Pwned database. A password can still be weak, guessable, or vulnerable to brute-force attacks. Always use long, unique passwords or a password manager.

?What is the Have I Been Pwned database?

Have I Been Pwned is a free service created by security researcher Troy Hunt. It aggregates data from publicly known breaches and currently contains over 900 million unique passwords, making it the largest breach password dataset available.

?Can this tool see or store my password?

No. The tool runs entirely in your browser. Your password is processed client-side to generate the SHA-1 hash. Nothing is logged, stored, or sent anywhere except the 5-character hash prefix to the API.

?How is SHA-1 used here if it is considered broken?

SHA-1 is considered weak for digital signatures, but it is perfectly adequate for this use case. The Have I Been Pwned API uses SHA-1 as a lookup key, not as a security mechanism. The k-anonymity model ensures no useful information is exposed.

?Is this tool free?

Yes. Completely free with no limits, no sign-up required. Check as many passwords as you need without any restrictions.

?Should I check my passwords regularly?

Yes. New breaches are disclosed frequently, and the database grows over time. A password that was safe last month might appear in a new breach. Periodic checks help you stay ahead of attackers.

?Does this work offline?

No. The tool needs to query the Have I Been Pwned API to retrieve the hash range. However, only 5 characters of the hash are sent, not your password. An internet connection is required for the lookup.

Help us improve

How do you like this tool?

Every tool on Kitmul is built from real user requests. Your rating and suggestions help us fix bugs, add missing features and build the tools you actually need.

Rate this tool

Tap a star to tell us how useful this tool was for you.

Suggest an improvement or report a bug

Missing a feature? Found a bug? Have an idea? Tell us and we'll look into it.

Related Tools

Encrypt and Decrypt with AES

Encrypt and decrypt text using AES-CBC or AES-GCM directly in your browser with the Web Crypto API.

Try Tool

Encode and Decode Base58

Encode text to Base58 and decode Base58 back to text using the Bitcoin alphabet.

Try Tool

Bcrypt Hash Generator

Generate and verify bcrypt password hashes securely in your browser.

Try Tool
Recommended Reading

Recommended Books on Password Security and Data Breaches

Web Application Hacker's Handbook

Web Application Hacker's Handbook

Dafydd Stuttard

The Code Book

The Code Book

Simon Singh

Crypto: How the Code Rebels Beat the Government

Crypto: How the Code Rebels Beat the Government

Steven Levy

As an Amazon Associate we earn from qualifying purchases.

Boost Your Capabilities

Security Tools for Password Protection

YubiKey 5 NFC — Hardware Security Key for MFA

YubiKey 5 NFC — Hardware Security Key for MFA

Yubico

Apricorn Aegis Secure Key — 256-bit AES Encrypted USB Drive

Apricorn Aegis Secure Key — 256-bit AES Encrypted USB Drive

Apricorn

Kingston IronKey Vault — FIPS 197 Certified Encrypted Flash Drive

Kingston IronKey Vault — FIPS 197 Certified Encrypted Flash Drive

Kingston

As an Amazon Associate we earn from qualifying purchases.

Newsletter

Get Free Productivity Tips & New Tools First

Join makers and developers who care about privacy. Every issue: new tool drops, productivity hacks, and insider updates — no spam, ever.

Priority access to new tools
Unsubscribe anytime, no questions asked