
2026-07-04
How to Check if Your Password Has Been Leaked (Without Risking It)
Yes, you can safely check a password against 900+ million leaked ones — thanks to k-anonymity, the password never leaves your device. Here's how it works and what to do if you're hit.
Over 900 million real passwords are circulating in breach databases, and attackers feed them into automated login attempts around the clock. The obvious question — "is mine in there?" — comes with an obvious worry: how do you check a password against a database without handing over the password itself? The answer is a clever piece of cryptography called k-anonymity, and it makes the check completely safe.
The short answer
Use our Password Leak Checker. Your password is hashed on your device, only the first 5 characters of the hash are transmitted, and the actual comparison happens in your browser. Neither we nor the breach database ever see your password — or even its full hash.
How k-anonymity checking works
- Your browser computes the SHA-1 hash of your password locally — say
5BAA61E4C9...(40 characters). - Only the first 5 characters (
5BAA6) are sent to the Have I Been Pwned API. - The API returns every leaked hash beginning with those 5 characters — typically 500-1,000 of them.
- Your browser checks whether your full hash is in that returned list.
The server only ever learns that someone asked about one of ~800 possible passwords in that bucket. It cannot tell which one, and it cannot reverse the prefix. This protocol was designed by Cloudflare and Troy Hunt in 2017 and is now used by password managers and even browsers themselves.
What "found in a breach" actually means
If your password shows up with a count — say, 2,340 times — it means that exact string appeared in at least that many breached accounts across sites like LinkedIn (2012), Adobe (2013), Collection #1 (2019) and hundreds of others. Attackers compile these into dictionaries and try them everywhere. A leaked password is not "weak" — it is known, which is worse.
What to do if your password is leaked
- Change it immediately on every site where you use it. Attackers automate cross-site attempts (credential stuffing) within hours of new breaches.
- Never reuse the replacement. One password per site, no exceptions — a password manager makes this effortless.
- Generate, don't invent. Humans produce predictable passwords. Use our Password Generator for 16+ random characters.
- Turn on two-factor authentication. With 2FA, a leaked password alone cannot open your account. Our passwords & 2FA guide walks through setup in five minutes.
What if it is NOT found?
Good news, but not a guarantee of strength. "Not in known breaches" only means that exact string has not been publicly leaked. Summer2026! is not in the database either — and would fall to a targeted guess in minutes. Length and randomness still decide real strength.
Frequently asked questions
Is it safe to type my real password into a checker? Into this kind of checker — yes, because of k-anonymity. Be suspicious of any site that asks for your password and your email together; that pattern is indistinguishable from phishing.
How often should I check? Check your important passwords once, fix what is found, then rely on breach notification instead — Have I Been Pwned lets you subscribe to alerts for your email address.
My password is leaked but the account seems fine. Do I still need to change it? Yes, today. Automated attacks run continuously; "seems fine" only means your turn has not come yet.
Can I check my email address for breaches too? Yes — haveibeenpwned.com checks which breaches included your email. That tells you which accounts to prioritise for password changes and 2FA.