Free tool · your password never leaves your browser
Pwned Password Checker
Checks a password against the Have I Been Pwned breach dataset using k-anonymity: the password is SHA-1 hashed locally and only the first five hash characters are sent, so neither the password nor its full hash ever leaves your device.
How k-anonymity works: your password is hashed with SHA-1 in your browser; only the first 5 characters of that hash are sent to the HIBP range API, which returns every matching suffix; the comparison happens locally. HIBP never sees your password or its full hash. The field is cleared after each check.