CYRUSX
Sign in

Tool

Password Breach Checker

Check if a password has appeared in a known data breach. Uses k-anonymity — your password never leaves your browser.

Your password is never sent anywhere. It is hashed in your browser using SHA-1, and only the first 5 characters of the hash are sent to check against the Have I Been Pwned database (k-anonymity model).

How It Works

Privacy-First Breach Detection

This tool checks your password against the Have I Been Pwned Pwned Passwords database — a corpus of over 900 million real-world passwords collected from known data breaches. The check uses a technique called k-anonymity to ensure your password never leaves your browser.

Here's how it works: your password is hashed with SHA-1 locally in your browser. Only the first 5 characters of that 40-character hash are sent to the API. The API returns all hash suffixes starting with those 5 characters — typically 400–600 results. Your browser then checks if your full hash appears in that list. The API never sees your full hash, let alone your actual password.

The result tells you how many times that exact password has appeared in breach compilations. A count above zero means real users had this password and it was exposed — you should change it everywhere it's used.

Best Practices

Password Security Fundamentals

  • Use a unique password for every account. Password reuse is the primary driver of credential stuffing attacks. When one service is breached, attackers test those credentials everywhere. One breach should never compromise multiple accounts.
  • Use randomly generated passwords of 16+ characters. Random character strings are immune to dictionary attacks and pattern-based guessing. A password manager generates and stores these so you never need to memorize them.
  • Enable two-factor authentication on every account that supports it. Even a breached password cannot be used if the attacker doesn't have access to your second factor. Hardware keys (FIDO2/WebAuthn) are the strongest form; TOTP apps are a strong second.
  • Check breach status after major incidents. Recheck passwords you care about after large breaches are publicized. The HIBP database is updated within days of major breach disclosures.

FAQ

Frequently Asked Questions

How does this work without sending my password?+

K-anonymity: your password is SHA-1 hashed in the browser, only the first 5 characters of the hash are sent to the API. The API returns matching suffixes. Full hash matching happens locally — your password never leaves your device.

How many passwords does this check against?+

The Have I Been Pwned Pwned Passwords database contains over 900 million real-world passwords from known data breaches, updated regularly as new breach data is published.

My password shows as breached. What do I do?+

Change it on every service where you use it immediately. Enable two-factor authentication. Use a unique, randomly generated password for each account going forward — a password manager makes this practical.

A clean result means my password is secure?+

Not necessarily. Zero breaches means it hasn't appeared in known breach compilations — but it could still be guessable or short. Unique, randomly generated 16+ character passwords are the only reliable defense.