Password Leak Checker
Check if your password has been exposed in known data breaches.
๐ Complete Guide to Password Breach Checking
Data breaches are an unfortunate reality of the digital age. Every year, billions of passwords are exposed through hacks, leaks, and security failures at companies of all sizes. Our Password Leak Checker allows you to safely verify whether your passwords have appeared in any known data breaches, using the secure Have I Been Pwned (HIBP) API with a privacy-preserving technique called k-Anonymity.
Using a compromised password puts all your accounts at risk. Attackers regularly use "credential stuffing" - automated attacks that try leaked username/password combinations against thousands of websites. If you've reused a password that appeared in a breach, hackers may already have access to your accounts.
๐ How k-Anonymity Keeps Your Password Private
The genius of k-Anonymity is that it allows us to check if your password has been breached without ever revealing your actual password to any external service. Here's exactly how the process works:
| Step | Action | Privacy Protection |
|---|---|---|
| 1. Local Hash | Your password is hashed using SHA-1 in your browser | Password converted to 40-character hash locally |
| 2. Prefix Extraction | Only the first 5 characters of the hash are extracted | 35 characters remain secret on your device |
| 3. API Request | 5-character prefix sent to HIBP API | API cannot determine your actual password from prefix |
| 4. Receive Matches | API returns ~500 hash suffixes starting with that prefix | Your specific hash hidden among hundreds of others |
| 5. Local Comparison | Your browser checks if your full hash is in the list | Full hash never leaves your device |
๐ Understanding Breach Counts
When a password is found in breaches, we display how many times it has appeared. Here's what different counts typically indicate:
| Breach Count | Risk Level | Recommended Action |
|---|---|---|
| 1-100 | โ ๏ธ High Risk | Change immediately on all accounts |
| 100-10,000 | ๐ด Very High Risk | Change immediately; password is commonly used |
| 10,000-1,000,000 | ๐ด Extreme Risk | This is a very common password; change and never reuse |
| 1,000,000+ | ๐ Critical | One of the most common passwords (like "123456"); immediate action required |
| 0 (Not Found) | โ Good (but verify) | Not in known breaches, but ensure it's still strong |
๐ What is Have I Been Pwned?
Have I Been Pwned (HIBP) is a free service created by Troy Hunt, a renowned security researcher and Microsoft Regional Director. The service aggregates data from publicly disclosed data breaches and allows people to check if their personal information has been compromised. Key facts about HIBP:
- Database Size: Over 12 billion compromised accounts indexed
- Password Database: Over 850 million unique passwords from breaches
- Trusted By: Governments, banks, 1Password, Firefox, and major corporations
- Privacy Focus: Implements k-Anonymity to protect user queries
- Free to Use: No cost for personal use and basic API access
- Open Source: The k-Anonymity API design is publicly documented
๐ก๏ธ Privacy Guarantee: The HIBP API never receives your actual password or even your complete hash. Only a 5-character prefix (out of 40 total characters) is transmitted. This means there are over 16 million possible passwords that could match any given prefix - making it mathematically impossible for HIBP to determine which password you're checking. This privacy-preserving method is used by 1Password, Firefox, and other major security-focused organizations.
๐ Major Data Breaches to Be Aware Of
| Breach | Year | Records Exposed | Data Types |
|---|---|---|---|
| Collection #1-5 | 2019 | 2.2 billion | Emails, passwords from multiple breaches |
| 2012/2021 | 700 million | Emails, passwords, profile data | |
| 2019 | 533 million | Phone numbers, names, emails | |
| Adobe | 2013 | 153 million | Emails, encrypted passwords |
| MySpace | 2016 | 360 million | Emails, passwords, usernames |