Cactus

Has your password been breached?

Check a password against billions of credentials exposed in known data breaches. Your password is hashed in your browser and never leaves your device.

How your privacy is protected
  • Your password is hashed (SHA-1) right in your browser - the password itself is never sent anywhere.
  • Only the first 5 characters of the hash are sent (k-anonymity), so no one can tell which password you checked.
  • SHA-1 here is just a lookup key to match the public breach list (which is stored as SHA-1) - not a security measure. Your privacy comes from k-anonymity, not the hash.
  • Nothing is stored. The check runs against the Have I Been Pwned 'Pwned Passwords' dataset.

Tip: avoid checking a password you actively use on a sensitive account - test a variation, or change it if it shows up here.

Frequently asked questions

How do I know if my password has been leaked?

Enter it here. We check it against billions of leaked passwords privately - your password is hashed in your browser and never sent to us in full (k-anonymity).

Is it safe to type my password into this checker?

Yes. Your password never leaves your device in full; only a short, hashed prefix is sent, so we never see your actual password.

What should I do if my password was breached?

Change it immediately on that site and anywhere you reused it, turn on two-factor authentication, and switch to a unique passphrase.

How our checks work