Password leak checker

Check whether your password has appeared in a known data breach. Your password never leaves your device.

Check your password now

Your password is hashed in your browser and never transmitted in plain text.

What you'll find out

  • Whether this password has ever appeared in a breach
  • How many times it has been seen in leaked data
  • Whether it is safe to keep using it
  • What to do next if it has been exposed

What it cannot tell you

  • Which specific breach the password came from
  • Which account it belongs to
  • Whether someone is actively using it right now

How the password check works

  1. You enter your password

  2. Your browser hashes it using SHA-1 — the password itself is never sent anywhere

  3. Only the first 5 characters of the hash are sent to look up matching records — this is called k-anonymity

  4. The response contains thousands of partial hash matches — your browser checks locally whether yours is in the list

  5. You get a result in under 2 seconds — your actual password was never transmitted

What is a password leak checker?

A password leak checker tells you whether a specific password has appeared in known data breaches. If it has, attackers already have it on the lists they use to break into accounts — so it is no longer safe to use anywhere.

This checker uses k-anonymity, which means your password is hashed in your browser and never sent to our servers. You get a clear answer in seconds: keep it, or replace it now.

Frequently asked questions

Is it safe to type my password here?

Yes. Your password never leaves your device. Your browser hashes it with SHA-1 and sends only the first five characters of that hash to look up matches — a method called k-anonymity. The full password is never transmitted, stored, or seen by us.

What does it mean if my password was found?

It means that exact password has appeared in known breach data and is on lists attackers use for credential-stuffing attacks. Stop using it everywhere immediately and replace it with a unique, strong password. A password manager makes this easy.

What is k-anonymity?

K-anonymity is a privacy technique that lets you check a password without revealing it. Only the first five characters of its hash are sent, returning thousands of possible matches, and your browser checks locally whether yours is among them. The site never learns your actual password.

My password wasn't found — does that mean it's strong?

Not necessarily. It only means that specific password hasn't appeared in the breach data we check. A short or guessable password can still be weak even if it has never been leaked, so length and uniqueness still matter.

Should I change a password that was found in a breach?

Yes, immediately — and anywhere else you used it. A leaked password is one of the most common ways accounts get taken over. Replace it with a long, unique password and turn on two-factor authentication.

Is the password leak checker free?

Yes — it is completely free with no signup and no payment. Your password is checked privately using k-anonymity and is never stored.

Also check your email address — it's a separate risk →