Tools

Has This Password Been Pwned?

Check whether a password has shown up in known data breaches. If it has, attackers already have it on their guess lists, and you should never use it. This is safe to use: your password is hashed inside your browser and never sent anywhere.

How this stays private: your browser computes a SHA-1 hash of the password and sends only the first five characters of that hash to look up matches (a technique called k-anonymity). The password itself, and the rest of the hash, never leave your device. Data comes from the free Have I Been Pwned Pwned Passwords service.

Found in a breach? Replace it.

Generate a fresh strong one with our password generator and store it in a manager.

Get the plain-English security newsletter

One short email when we publish something useful. No spam, no fearmongering. Unsubscribe anytime.