Skip to content
Kordu Tools

Password Breach Checker

Privacy

Check if a password has appeared in known data breaches using k-anonymity.

Your password never leaves your browser

We use k-anonymity — only the first 5 characters of a SHA-1 hash are sent to the Have I Been Pwned API. Your full password is never transmitted to any server.

Strengthweak

Not found in any known data breaches

This password has not appeared in any of the data breaches indexed by Have I Been Pwned. This does not guarantee it is secure — always use a unique password for each account.

Found in data breaches

This password has been seen 0 times in known data breaches. You should change it immediately and avoid reusing it anywhere.

Check failed

Checking against breach database...

Enter a password above and click Check to see if it has appeared in any known data breaches.

How to use

  1. 1

    Enter your password

    Type or paste the password you want to check into the secure input field. Use the eye icon to toggle visibility.

  2. 2

    Click Check

    Press the Check button to hash the password locally and query the Have I Been Pwned API with the first five hash characters.

  3. 3

    Review the result

    See whether the password was found in any known data breaches and, if so, how many times it has appeared.

  4. 4

    Check the strength meter

    Review the strength indicator for additional context on the password's overall robustness.

Frequently asked questions

Is my password sent to a server?
No. Your password is hashed locally using SHA-1 via the Web Crypto API. Only the first five characters of the hex hash are sent to the Have I Been Pwned API. This k-anonymity model makes it mathematically infeasible to reconstruct your password from the request.
What does k-anonymity mean?
K-anonymity means the API receives a hash prefix that matches hundreds of other hashes, so it cannot determine which specific password you are checking. Your full hash never leaves your browser.
Should I change my password if it appears in a breach?
Yes. If a password appears even once in a breach database, attackers may include it in credential-stuffing attacks. Change it immediately and use a unique password for every account.
Why does this use SHA-1 if it is considered weak?
The Have I Been Pwned API indexes passwords by SHA-1 hash. SHA-1's weaknesses apply to collision resistance, not to this lookup use case. Your password's security does not depend on SHA-1 here — the hash is only an index key.

Verify whether a password has been exposed in any known data breach

using the Have I Been Pwned API. Your password is never sent to any

server — the tool hashes it locally with SHA-1 via the Web Crypto API,

sends only the first five characters of the hash (k-anonymity), and

checks the response for a match. If found, you will see how many times

the password has appeared in breached datasets. A built-in strength

meter gives you additional context alongside the breach check.

Related tools

Password Generator

Generate strong, random passwords with customisable length and character sets.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes of text or files in your browser.