What is a pwned password check?
A "pwned" password is one that has appeared in a known data breach. Attackers compile these leaked passwords into lists and try them against other accounts — a technique called credential stuffing. This tool checks whether a password appears in Have I Been Pwned's database of billions of breached passwords.
If a password shows up here, it is unsafe to use anywhere, even if it looks complex, because it is already in attackers' wordlists.
How it protects your privacy (k-anonymity)
Your password is never sent anywhere. The tool hashes your password with SHA-1 in your browser, then sends only the first five characters of that hash to the Have I Been Pwned range API. The API returns every breached hash that shares those five characters, and the final match is done locally in your browser.
This technique, called k-anonymity, means the service never learns your password or even its full hash — it only ever sees a five-character prefix shared by thousands of different passwords.
What to do if your password is pwned
- —Stop using it immediately, everywhere it appears.
- —Change it to a long, unique password — ideally generated by a password manager.
- —Enable two-factor authentication on the affected accounts.
- —Never reuse passwords across sites, so a single breach can't cascade.