Skip to main content

Password Leak Checker — k-anonymity HIBP lookup, your password never leaves the browser

Password leak checker — check if your password has been seen in known breaches using k-anonymity (HIBP API style), the password never leaves your browser.

  • Runs locally
  • Category Text
  • Best for Checking file type, size, metadata, and obvious mismatch signals before sharing.
Privacy guarantee — and a stronger one:
This tool uses the public HaveIBeenPwned k-anonymity API. Your password is hashed locally; only the first 5 hex chars of the SHA-1 hash leave your browser. Even so, the strongest move is using a password manager with random per-site passwords — this lookup is a safety net, not a substitute.
Password to check

Type a password above and click Check. Nothing is sent until you click.

What this tool does

A serious password breach checker that uses the public HaveIBeenPwned k-anonymity API the same way 1Password and Firefox Monitor do — your full password is NEVER sent over the network. Here is exactly what happens when you click "Check": we compute SHA-1 of your password inside the browser using the Web Crypto API (crypto.subtle.digest), take the first 5 hex characters of the hash, and send only those 5 characters to api.pwnedpasswords.com. The server returns ~800 hash suffixes that share that 5-char prefix — a haystack of hundreds of candidates, none identifiable. The actual match lookup (against your full 35-char suffix) runs locally in your JavaScript. The server never sees your password, never sees your full hash, and cannot derive either. We add a tiny strength readout (length / charset / common-pattern flags) and concrete advice after the check completes. Even with k-anonymity protecting you, if you typed a real production password here, our top recommendation is still: rotate it inside a password manager that generates random per-site passwords for you.

Tool details

Input
Numbers
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy + Preview
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
May use a live lookup
A network call is detected in the component, so redact sensitive data when appropriate.
Save / share
No account required
Open the page and use it; whether results survive refresh depends on the tool.
Performance budget
Initial JS <= 18 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Text · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How Password Leak Checker fits into your work

Use it before upload, handoff, archive, support review, or any moment where a file needs one local check before it leaves your machine.

File jobs

  • Checking file type, size, metadata, and obvious mismatch signals before sharing.
  • Preparing mixed folders for upload, archive, intake, or review.
  • Keeping sensitive files in the browser instead of sending them to an account-based service.

File checks

  • Do not treat the extension alone as proof of the real file type.
  • Review metadata before a file goes to customers, vendors, or a public page.
  • Keep the original file until the copied, converted, or exported result is verified.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 JWT Decoder Decode JWT header / payload / signature — verify structure, check exp, copy claims — browser-only Open
  2. 2 Password Generator Generate strong, cryptographically random passwords and passphrases — entirely in your browser. Open
  3. 3 Password Strength Checker Check password strength — entropy, time-to-crack, breach pattern check (offline). Open

Real-world use cases

  • Vetting a password before you reuse it on a new signup

    You are about to reuse your old "go-to" password on a fresh account. Paste it here first. If it comes back with a count of 3,400, that is 3,400 cracking-dictionary entries pointing at it. Generate a fresh 20-char random one for the new site instead and you have spent 15 seconds avoiding a credential-stuffing takeover.

  • Auditing a team's shared service account during offboarding

    An engineer leaves and you inherit a shared CI or monitoring login. Before deciding whether rotation is urgent, check the current password here. A count of 0 means it is at least not in any public dump yet; any count above 0 moves rotation to today. The k-anonymity flow means you never expose the live credential to a third party.

  • Teaching a non-technical relative why "Summer2024!" is risky

    Your parent insists their password is "complicated enough." Type a close pattern like "Summer2024!" and show them the count, often in the tens of thousands. Seeing a real number lands harder than a lecture. Then open the linked password generator together and set up Bitwarden so they only memorize one master phrase.

  • Confirming a password-manager-generated string is genuinely unique

    Even random generators occasionally produce a string already seen in a breach if it is short or low-entropy. After generating a 12-char password, paste it here. A count of 0 confirms it is not in the 800M+ corpus, so you can trust it as a one-off. For anything guarding money or email, bump the length to 20+ chars and re-check.

Common pitfalls

  • Thinking a "count of 0" means the password is strong. It only means it is not in a public dump yet. "Xq7" has a count of 0 too, and is trivially brute-forced. Check length and charset, not just leak status.

  • Re-using a leaked password after only changing the trailing digit, e.g. "monkey1" → "monkey2". Attacker rule sets test these mangling patterns first, so the "new" password is already cracked.

  • Pasting a live production password without rotating it afterward. Even with k-anonymity the right move once you have typed it anywhere is to assume it is spent and generate a fresh random one in your manager.

Privacy

Your password is hashed to SHA-1 entirely inside your browser via the Web Crypto API, and only the first 5 hex characters of that hash ever leave your device, sent to the public HIBP range API. The full password, the full hash, and the final match comparison all stay local. This tool deliberately does NOT sync the password to the URL, so nothing sensitive lands in your history, bookmarks, or a shared link. Nothing is stored on our servers.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Browse all tools for this role
Made by Toolora · 100% client-side · Updated 2026-06-13