HomeTools › Has your password been breached?

Has your password been breached?

Check instantly whether a password has appeared in a known data breach — privately. Your password never leaves your device.

This is genuinely private. Your password is turned into a fingerprint inside your browser, and only the first 5 characters of that fingerprint are ever sent — never your password, and never the full fingerprint. It's a privacy-safe method called k-anonymity.
Try one (these are safe examples): password 123456 Liverpool2024 a long random one

If your password turned up in a breach

Don't panic, but do act. Change it on every account that uses it, and never use it again. The only realistic way to have a different strong password everywhere is to let a password manager create and remember them for you.

See the best free password managers → How to set one up
How this works (and why it's safe)

When you press Check, your browser converts your password into a 40-character fingerprint called a SHA-1 hash. It sends only the first five characters to the Have I Been Pwned Pwned Passwords service, which returns every leaked fingerprint starting with those five characters — often hundreds of them. Your browser then checks the rest of the match locally. So the service never learns your password, or even which one of the hundreds you were asking about.

The database holds over 14 billion real passwords exposed in data breaches. Powered by Have I Been Pwned, the free service run by security researcher Troy Hunt.

Common questions

It says my password was found — what now?

That password is on lists criminals actively use. Change it anywhere you've used it, and give every account its own unique password. Here's the full guide to leaked passwords, including how to check your email too.

It says "not found" — am I safe?

Safer, but "not found" only means it hasn't leaked yet. A short or obvious password can still be guessed. Test how strong it is with our password strength checker.