LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  HIBP CHECK

Have I Been Pwned — Password Check

Check whether a password appears in known data breaches using HIBP’s k-anonymity API. We SHA-1 the password in your browser and only send the first 5 chars of the hash — your password and full hash never leave the page.

Hashed in-browser with WebCrypto SHA-1. Only the first 5 hex chars of the hash are sent to HIBP.

    What it does

    Have I Been Pwned (HIBP) maintains a database of 800 million+ passwords seen in real-world data breaches. The k-anonymity API lets you check a password without ever transmitting it: hash the password with SHA-1, send only the first 5 characters of the hash to HIBP, and HIBP returns every hash starting with those 5 chars plus a breach count. You compare locally. Even HIBP doesn’t know which password you checked. Our implementation does the SHA-1 in your browser via WebCrypto, so the full hash and the password itself never leave your tab.

    Advertisement

    How to use it

    1. Type or paste a password. Click "Check".
    2. Your browser hashes it locally with SHA-1.
    3. Only the first 5 hex chars of the hash are sent to HIBP’s range API.
    4. HIBP returns a list of all matching suffixes with their breach counts.
    5. Your browser scans the list for your specific suffix and reports the count.

    Common use cases

    Personal account audit Check every password you currently use. Pwned passwords are top targets for credential-stuffing — replace immediately.
    User-signup screening Block sign-up if a candidate password is pwned. NIST 800-63B explicitly recommends this as the "screened password" criterion.
    Password manager hygiene 1Password, Bitwarden, and others integrate the HIBP feed natively — but if you’re without a manager, use this for spot-checks.
    Advertisement

    Frequently asked questions

    Is the password sent to HIBP? +
    No. Only the first 5 chars of its SHA-1 hash. The hash itself is one-way, and we send just the prefix. HIBP receives ~500 candidate hashes and can’t distinguish which (if any) you actually checked.
    What if the password is "not found"? +
    It means it hasn’t appeared in any of the 800M+ breached passwords HIBP catalogs. It does NOT mean the password is strong — a random 4-character password is also "not found" but trivial to crack.
    How fresh is the data? +
    HIBP updates the password set as new breaches are processed. Lag from breach disclosure to inclusion is typically days to weeks.
    What about email-based pwnage check? +
    That’s the HIBP "search by email" feature — different API. Visit haveibeenpwned.com directly for email-account-breach lookup.

    Related tools

    Related coverage on Ciphers Security

    You may also like

    Free for everyone, no signup required. Tool runs at /tools/hibp-check/ — bookmark or share.

    Scroll to Top