Has your password been breached?
Check any password against billions of leaked credentials — privately, without ever sending the password itself.
Your password is hashed in your browser and only the first 5 characters of the hash are ever sent (a technique called k-anonymity). The password itself never leaves your device. Powered by the free Have I Been Pwned Pwned Passwords API.
How this stays private
The checker hashes your password locally and sends only the first five characters of that hash. The breach service returns every match for that prefix, and your browser finds the rest — so the full password and full hash never leave your device. This is called k-anonymity.
What to do if a password is breached
Change it everywhere you used it, and never reuse it again. Switch to a long, unique passphrase or a password manager, and turn on two-factor authentication where you can. A breached password is only dangerous while you keep using it.
How to create a strong password
Length beats complexity: a passphrase of four or more random words is both stronger and easier to remember than a short scramble of symbols. Use a different one for every account so a single breach can't unlock the rest of your life.
FAQ
- Is it safe to type my password here?
- Yes. Your password is hashed in your browser with SHA-1, and only the first 5 characters of that hash are sent to the breach database (k-anonymity). The password itself never leaves your device.
- What does it mean if my password was found?
- It means that exact password has appeared in one or more public data breaches and is on lists attackers use to guess credentials. Stop using it everywhere and change it to a unique password.
- Where does the breach data come from?
- From Have I Been Pwned, a free, widely-trusted service that aggregates passwords exposed in real-world data breaches into a searchable, anonymized database.
Protect your connection too
A strong password guards your accounts; Zic VPN guards your traffic. Get both.
Download Zic VPN