Password Breach Checker
Find out whether a password has ever appeared in a known data breach — without ever sending the password anywhere. Free, instant, and your password never leaves your device.
We hash your password locally with SHA-1, then send only the first 5 characters of that hash to the Have I Been Pwned range API. That 5-character fragment matches hundreds of different passwords, so nobody — not us, not them — can tell which one you typed. The full list of matching hash endings comes back, and the comparison happens right here on your device. This technique is called k-anonymity.
Nothing is stored, logged or remembered. Close the tab and it is gone. If you would rather not type a live password at all, generate a fresh one with the Password Generator instead.
How to use the Password Breach Checker
- Type or paste the password you want to test into the box above.
- Click "Check for breaches". Your browser hashes the password with SHA-1 locally.
- Only the first five hex characters of that hash leave your device — never the password.
- Read the result: either the password has never been seen in a breach corpus, or you will see exactly how many times it has appeared.
- If it has been exposed, change it everywhere you used it and switch to a unique, random password.
Why use ZillaKit's Password Breach Checker?
Billions of username and password pairs have leaked from hacked websites over the past two decades, and attackers feed those lists straight into automated login attempts — a technique called credential stuffing. If a password you use appears in one of those lists, it does not matter how clever it looks: it is already in the attacker's dictionary and it will be tried against your accounts within seconds. This tool checks a password against the Have I Been Pwned "Pwned Passwords" corpus of over 900 million real breached passwords, using the k-anonymity range search so that your actual password is never transmitted, never logged and never stored. Everything except the five-character hash prefix stays inside your browser tab. There is no signup, no email address, no rate limit and no cost. If a password comes back clean it only means it has not shown up in a public breach yet — a short or predictable password can still be cracked in seconds, so pair this check with our Password Strength Checker and generate replacements with the Password Generator.
What is k-anonymity, in plain English?
Imagine you want to ask a librarian whether a specific book is in the library, but you do not want the librarian to know which book you are curious about. So instead of naming the book, you ask for every book whose title starts with "The Gr". The librarian hands you a list of hundreds of titles, and you quietly scan it yourself to see if yours is there. The librarian learns almost nothing. That is exactly what happens here: the "title" is the SHA-1 hash of your password, we only reveal the first five characters of it, and the server sends back every hash ending that shares that prefix — typically 400 to 800 of them. The final match is done on your machine, in JavaScript, and the answer never leaves the page.
FAQ
Is it safe to type my real password here?
Yes — safer than almost any other breach check. The password is hashed with SHA-1 inside your browser using the native crypto.subtle API, and only the first 5 of the 40 hex characters of that hash are ever sent over the network. Nothing on our side, and nothing on the Have I Been Pwned side, can reconstruct your password from a 5-character fragment shared by hundreds of other passwords. Nothing is written to disk or to any log.
Can I check whether my email address was in a breach?
Not here, and we would rather be honest about why. The Pwned Passwords API used by this tool is free and needs no API key, which is what makes a fully client-side, keyless check possible. The Have I Been Pwned email breach API is a different service that requires a paid, authenticated API key — the key would have to sit on a server, which means your email address would have to be sent to that server. That is a privacy trade-off we are not willing to make, so we do not offer it. To check an email address, go to haveibeenpwned.com directly.
My password shows zero breaches. Am I safe?
It means the password has not appeared in any breach data set that Have I Been Pwned has ingested. It does not mean the password is strong. "Zebra7!" has probably never been breached, but it is still short enough to brute-force. Check its strength separately and prefer long, randomly generated passwords.
What does the breach count actually mean?
It is the number of separate times that exact password string appeared across all the breach corpora that have been loaded — so a count of 3,861,493 means millions of real accounts used it. Any count above zero means the password is in attacker word lists and should be retired immediately, everywhere you used it.
Why SHA-1? Isn't that broken?
SHA-1 is unsuitable for signatures because collisions can be engineered, but here it is only used as an index into a pre-computed lookup table — that is the format Have I Been Pwned publishes, so we must match it. The security of this tool comes from the k-anonymity range search, not from the hash function's collision resistance.
Does this work offline?
The hashing does, but the lookup needs one HTTPS request to api.pwnedpasswords.com to fetch the list of hash suffixes for your prefix. That is the only network call the page makes.