Has This Password Leaked?
Type a password below to check it against billions of credentials exposed in real data breaches. The check is fully private: your password is hashed inside your browser and only the first 5 characters of that hash — matching over a million possible passwords — are ever sent. If it's been leaked, you'll see exactly how many times.
Has this password leaked?
Your password never leaves this browser. It's hashed locally; only the first 5 characters of the hash (matching over a million possible passwords) are sent — the k-anonymity model explained below.
Powered by the Have I Been Pwned Pwned Passwords dataset — billions of real passwords collected from real data breaches. We never see, store, or transmit your password.
What This Tool Actually Checks
When a company gets breached, the stolen database rarely stays private. Password dumps get traded on criminal forums, merged into giant "combo lists", and eventually surface publicly. The Have I Been Pwned Pwned Passwords project — the independent breach-notification service this tool queries — collects those leaked passwords into a single searchable corpus of billions of entries, each with a count of how many separate breach records it appeared in.
That count is the number this tool shows you. A password found "3,847 times" isn't a theoretical risk: it sits in thousands of breach records that attackers actively load into automated cracking and login tools. Common passwords appear millions of times; even passwords that feel personal and obscure — a pet's name plus a birth year — often show up hundreds of times, because millions of other people had the same idea.
Two things this tool deliberately does not do. It never stores or transmits what you type — the entire comparison happens in your browser, as the k-anonymity section below explains. And it doesn't measure strength: a brand-new random password will pass this check and a weak one might too. For the strength question, run the same password through our password strength checker — the two checks answer different questions, and a password needs to pass both.
How k-Anonymity Lets Us Check a Password We Never See
Sending a password to a "leak checker" sounds like the worst idea in security — and if the password actually traveled to a server, it would be. The reason this tool is safe is a protocol called k-anonymity range search, introduced in 2018. Here is the complete flow, step by step:
- Your browser computes the SHA-1 hash of the password locally, using the
crypto.subtleAPI built into every modern browser. The result is a fixed 40-character hexadecimal fingerprint — for example, the passwordpassword123always hashes toCBFDAC6008F9CAB4083784CBD1874F76618D2A97. - The browser sends only the first 5 characters of that hash (
CBFDAin the example) toapi.pwnedpasswords.com/range/CBFDA. Nothing else. Not the password, not the full hash. - The API returns every breached hash that starts with those 5 characters — typically 800 to 1,000 suffixes, each with its breach count.
- Your browser scans that list locally for the remaining 35 characters of your hash. A match means the password is in the breach corpus; no match means it isn't. The verdict is computed on your machine.
The privacy math is what makes this elegant. Five hex characters give 165 = 1,048,576 possible prefixes, and SHA-1 spreads passwords across them essentially uniformly. So the prefix you send matches roughly one millionth of every password that has ever existed or ever will — millions upon millions of candidate passwords share it. The server learns only that you asked about one of them. That's the "k" in k-anonymity: your query is indistinguishable from k other possible queries, where k is enormous.
| Data | Leaves your browser? | What the server could learn from it |
|---|---|---|
| Your password | Never | Nothing — it doesn't exist outside your browser |
| Full SHA-1 hash (40 chars) | Never | Could be cracked or looked up for weak passwords — which is why it stays local |
| Hash prefix (5 chars) | Yes — the only thing sent | That you queried one of millions of passwords sharing that prefix |
| The verdict (found / not found) | Computed locally | Nothing — the server never knows if any suffix matched |
The protocol even defends against traffic analysis: this tool requests response padding, so the API inflates every answer with dummy entries and all responses look alike on the wire. An observer watching your encrypted connection can't infer anything from the response size. After you run a check, the tool shows you a "what actually left your browser" receipt — your real hash with the 5 sent characters highlighted — so you can verify the claim rather than take our word for it. This is the same mechanism password managers and even some browsers use for their built-in breach warnings.
How Credential Stuffing Turns One Leak Into Ten Hacked Accounts
Why does a password leaking from one obscure forum matter for your email, your bank, or your streaming accounts? Because of credential stuffing — the single most common way ordinary people get hacked, and it involves no "hacking" of you at all.
The attack chain is an assembly line. First, breach databases from hundreds of sites are merged into combo lists — files with billions of email-and-password pairs, sold cheaply or shared freely. Second, attackers load a combo list into automated tooling that replays every pair against login pages of valuable targets: email providers, banks, payment services, streaming platforms, game stores. Third, the traffic is laundered through huge proxy networks, so the target site sees thousands of ordinary-looking logins from thousands of ordinary-looking home IP addresses instead of one suspicious server hammering the door.
The success rate per attempt is tiny — typically a fraction of a percent — but the volume is astronomical, and every hit is an account takeover that cost the attacker almost nothing. The only reason it works is password reuse: the attacker isn't guessing your password, they're replaying it from a site that already lost it. If the password you checked above came back pwned and you've used it on more than one site, credential stuffing is not a hypothetical — pieces of that attack are likely already probing your accounts.
One connection-level footnote: credential stuffing happens on the attacker's machines, so a VPN can't stop it — only unique passwords can. What a VPN protects is the other route to the same outcome: credentials intercepted or session cookies hijacked on hostile networks like public Wi-Fi. Our best VPN rankings cover that side; this tool and the steps below cover this one. Account security needs both.
Your Password Is Pwned — Do These 6 Things Now
A pwned result isn't a reason to panic, but it is a reason to act today rather than this weekend. Work through this list in order:
- Change it on your most important account first. Email is almost always the crown jewel — whoever controls your inbox can reset every other password you own. Then banking and payment accounts, then everything else.
- Change it everywhere else you've used it. This is the step people skip, and it's the one credential stuffing exploits. If the same password guards five accounts, all five are burned — changing just one leaves four doors open.
- Replace it with a unique random password per site. Never a variation of the old one: attackers' tools automatically try
password1→password2and seasonal suffixes. Our password generator creates strong random passwords entirely in your browser. - Store them in a password manager. Unique passwords on dozens of sites are impossible to memorize by design. A password manager makes the secure habit the easy habit — and its autofill refusing to fill on a lookalike domain doubles as phishing protection.
- Turn on two-factor authentication (2FA). With 2FA, a stolen password alone no longer opens the account. An authenticator app or hardware key beats SMS codes, but any 2FA beats none — prioritize email, banking, and anywhere a payment card is stored.
- Check whether your email address has been breached too. The address-search side of Have I Been Pwned tells you which breaches included your accounts and what else leaked alongside the password — names, addresses, sometimes partial card numbers. Knowing which breach hit you tells you what phishing to expect next, because breach victims get targeted with convincing "reset your account" lures built from their own leaked data.
How to Read Your Result
The verdict panel is deliberately blunt, but the nuance matters — here is exactly what each outcome does and doesn't mean:
| Result | What it means | What to do |
|---|---|---|
| Found — high count (1,000+) | A common password that sits in every attacker's starter dictionary | Retire it permanently, everywhere, today |
| Found — low count (1–50) | Leaked from specific breaches — possibly one of your accounts | Same urgency: it's in circulation; change it everywhere |
| Not found | Absent from known, published breaches — not proof of strength or safety | Verify it's also long, random, and unique to one site |
| Check failed | The breach API couldn't be reached (network or ad-blocker) | Retry — nothing about your password was sent or lost |
A low count deserves special attention rather than relief. A password seen three times isn't "three times safer" than one seen three million times — it may mean a password you genuinely used was captured in a specific breach, which makes a targeted replay against your other accounts more likely, not less. Treat any non-zero count as a retirement notice.
Password Leak Questions, Answered
Is it really safe to type a password into this page?
Yes — and you don't have to trust us, because the design removes the need for trust. The password is hashed by your own browser, only 5 characters of the hash leave your machine, and those 5 characters match millions of possible passwords. Open your browser's developer tools, watch the Network tab while you run a check, and you'll see a single request to api.pwnedpasswords.com/range/XXXXX containing nothing but that prefix. That said, the universal rule still applies: for maximum caution, change any password right after checking it — which is exactly what you should do with a pwned one anyway.
Isn't SHA-1 broken? Why use it here?
SHA-1 is broken for collision resistance — forging two documents with the same hash — which is why it's been retired from certificates and signatures. Here it's used for something entirely different: a fast fingerprint for looking up known-leaked passwords in a database that's indexed by SHA-1. The full hash never leaves your browser, so its weaknesses never come into play. The separate question — "should websites store passwords as SHA-1?" — has a firm answer: no; sites should use slow, salted algorithms designed for password storage. Many breached sites didn't, which is partly why these leaks are so damaging.
My password wasn't found. Does that mean it's strong?
No — the two properties are independent. This tool answers "has this exact string appeared in a known breach?", nothing more. A short password built from your dog's name can be absent from every breach and still fall to a dictionary attack in minutes, and a breach that hasn't been discovered or published yet is invisible to any checker. Pair this check with our password strength checker: leaked-status and crack-resistance together give you the real picture.
Where do the breach counts come from?
From the Pwned Passwords corpus, which aggregates passwords exposed in real, verified data breaches over more than a decade — plus ongoing ingestion of newly circulating credential dumps, including feeds identified by law enforcement. The count is how many separate breached records contained that exact password. It only ever grows: passwords are never removed from the corpus, because once leaked, a password can never be un-leaked.
Should I check every password I use?
Check the ones that matter most: email, banking, anything storing a payment card, and any password you know you've reused. If you use a password manager, an audit feature that performs this same k-anonymity check across your whole vault at once is the more thorough option. And if checking feels tedious because you have one password guarding twenty accounts — that tedium is the diagnosis. Generate unique replacements with the password generator and the problem disappears permanently.
Can a VPN stop my passwords from leaking?
Not from a website's database being breached — that happens on the site's servers, far beyond any tool on your device. What a VPN prevents is interception in transit: on open Wi-Fi, a VPN's encrypted tunnel stops network-level snooping on everything you send, including logins on sites with weak security. Some providers in our rankings also bundle breach-monitoring alerts that notify you when your credentials show up in new dumps — NordVPN and Surfshark both do. Think of it as defense in layers: unique passwords stop credential stuffing, 2FA stops stolen passwords from working, and a VPN stops hostile networks from harvesting new ones.
Why do you show how many hashes came back from the database?
Transparency. The "what actually left your browser" receipt after each check shows your hash with the 5 transmitted characters highlighted, plus the number of candidate hashes the database returned for local comparison — typically 800 to 1,000. That bucket size is the k-anonymity model made visible: the server handed back an entire crowd of possibilities precisely because it has no idea which one you care about. We'd rather show you the mechanism than ask you to trust a privacy badge.
A Leaked Password Is Only Half the Problem
Attackers pair breached credentials with unencrypted traffic on public Wi-Fi to hijack accounts. Fix the password above, then lock down the connection — see the VPNs we actually tested and ranked.
See Our Top-Rated VPNs8 VPNs benchmarked on real hardware — see how we test.
More Free Tools
Every tool on vpnrank.io is free, runs instantly, and never requires an account.
What Is My IP
See the IP address websites see
WebRTC Leak Test
Check if your browser leaks your real IP
Is My VPN Working?
One-click check that your VPN actually protects you
VPN Kill Switch Test
Verify your kill switch blocks traffic on drop
IP Address Lookup
Look up any IP's location, ISP, and hostname
Password Generator
Create strong random passwords locally
Password Strength Checker
Test how fast a password would crack