K-anonymity model
Only SHA-1 hash prefix (5 chars) is sent; suffix matching is performed locally in-browser.
Pwned password check
Security toolsCheck password breach exposure using Have I Been Pwned k-anonymity range API.
Updated
Password breach check
Uses Have I Been Pwned k-anonymity API.
Only first 5 SHA-1 chars are sent; full password stays local.
Quick start
How to check breached passwords
Run HIBP k-anonymity check locally from password hash prefix.
- Step 1Enter password
Type password to test against breach corpus.
- Step 2Run check
Tool sends only SHA-1 prefix to HIBP API.
- Step 3Act on result
If matched, rotate password and enable MFA.
In-depth guide
Pwned password check
Check whether a password appears in known breach corpora using HIBP's privacy-preserving k-anonymity API.
Password policy use
Reject breached passwords during signup/reset and encourage passphrases with MFA.
When to use it vs alternatives
Use this tool for quick browser-based work when you need an answer or output immediately. Use a dedicated application or automated workflow when you need bulk processing, approvals, or repeatable production rules.
Step-by-step usage
- Enter password — Type password to test against breach corpus.
- Run check — Tool sends only SHA-1 prefix to HIBP API.
- Act on result — If matched, rotate password and enable MFA.
Common pitfalls
- Check the result before replacing the original input.
- Watch for unit, format, encoding, and browser memory limits on large inputs.
- Keep a copy of important source material until the output is verified.
Frequently asked questions
Does this send my full password?
No. It sends only the first 5 characters of SHA-1 hash prefix (k-anonymity model).
What service is used?
Have I Been Pwned Pwned Passwords API over HTTPS.
Can I trust a zero result?
Zero means no known match in the corpus for that hash, not absolute future safety.
Keep exploring
More tools you'll like
Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.
More security tools
See all →- AES text encrypt/decrypt Popular New
Encrypt and decrypt text locally with AES-256-GCM and passphrase-derived keys.
- JWT generator (HS256) Popular New
Generate signed HS256 JWTs from custom header and payload JSON locally.
- TOTP tool New
Generate 6-digit rolling TOTP codes and otpauth URIs from Base32 secrets.
Popular across EpitomeTool
Browse all →- PDF toolsPDF compressor Popular
Shrink PDF file size without uploading to a server.
Open tool - Fitness & healthBMI calculator Popular
Body Mass Index with metric / imperial inputs and WHO category bands.
Open tool - PDF toolsPDF merger Popular
Combine multiple PDFs into one in your browser.
Open tool - PDF toolsPDF splitter Popular
Split a PDF by pages or page ranges, download as zip.
Open tool