Has your password been pwned?
Check any password against 850+ million leaked credentials, score its strength, and get fix-it advice — all without sending the password anywhere. We use HaveIBeenPwned’s k-anonymity API: only the first five hex characters of the SHA-1 hash leave your browser.
Your password never leaves your browser. We hash it locally with SHA-1, send only the first 5 hex characters to HaveIBeenPwned, and compare the suffix list locally (k-anonymity).
How to read these results.
Strength score
The 0–4 score combines character variety, length, and detected patterns. Score 4 means roughly 80+ bits of entropy — a modern GPU would take longer than the age of the universe to brute-force it.
Breach count
The number of times this exact password has appeared in known data breaches. Anything > 0 means it's already on every cracker's wordlist. Even one occurrence is enough to compromise reuse across services.
Crack time
Estimated time for a single GPU to brute-force this password offline (1e10 guesses/second). Online attacks are far slower because of rate limits, but offline attacks happen after every breach.
k-anonymity
The HIBP range API design we use sends a 5-character hash prefix and gets back a list of suffixes. Your full password and full hash never leave your browser. Verifiable in DevTools → Network.
What to do if a password is breached.
- 1.Change it immediately on every account where you used it. Reuse is what turns one leaked password into account takeover across half your digital life.
- 2.Use a password manager.1Password, Bitwarden, and KeePass generate and store unique passwords per site. The math doesn’t work without one.
- 3.Enable 2FA wherever it’s offered. Authenticator apps (Authy, Google Authenticator, 1Password) beat SMS — SIM-swap attacks are real.
- 4.Generate replacements with our Password Generator or our new Diceware tool. Both run client-side; nothing transmits.