Saw Tools

Password leak checker

Find out if a password has appeared in a known data breach — without ever revealing it.

Related guide How data breaches actually work

Your password never leaves your browser. It is hashed locally, and only the first 5 characters of that hash are sent to the Have I Been Pwned API (the k-anonymity model). The service can never see what you typed.

ADVERTISEMENT

How this checker works

When you click Check, your browser computes the SHA-1 hash of the password locally. It then sends only the first five characters of that hash to the Have I Been Pwned “Pwned Passwords” API. The server replies with every leaked hash sharing that 5-character prefix — typically several hundred — and the final comparison happens on your device. This technique, called k-anonymity, means the service never learns your password, nor even its full hash.

What a result tells you

  • Found in a breach. The exact password string is in datasets that have leaked publicly. Attackers feed these lists into automated “credential stuffing” attacks. Treat the password as burned: change it everywhere it was used.
  • Not found. The password has not appeared in the leaks indexed so far. That is reassuring, but not a strength guarantee — a short or predictable password can still be cracked. Length and uniqueness matter most.

Why reused passwords are the real danger

A single breach rarely matters in isolation. The damage comes from reuse: when the same password protects your email, your bank, and a forum that got breached in 2019, one leak unlocks all three. This is why security researchers insist on a unique password per account — and why a checker like this one is most useful as a prompt to stop reusing. For the full picture, read our guide on how data breaches happen and what to do about them.

Is this the same as “Have I Been Pwned”?

It uses the same trusted database, queried through the same public API. The difference: this page checks passwords entirely client-side. To check whether an email address has been caught in a breach, use haveibeenpwned.com directly — that lookup needs an authenticated key that should never be exposed in a browser.

What to do if your password leaked

Found a match? Don’t panic — act methodically. The goal is to make that password worthless to anyone who has it, and to stop the problem from recurring.

  • Change it now, starting with your most sensitive accounts (email first — it’s the master key that resets everything else).
  • Make every new password unique and long. Generate one in two clicks with our cryptographically secure password generator.
  • Turn on two-factor authentication wherever it’s offered — ideally an authenticator app or a passkey rather than SMS.
  • Stop memorising and reusing. A password manager remembers a unique password for every account so you never have to. See our 2026 password manager comparison to choose one.

Recommended password managers

The single most effective fix for leaked passwords is to never reuse one again — which is exactly what a password manager makes effortless. Here are three we recommend, ranked by alignment with our privacy-first approach.

This section contains affiliate links. If you subscribe through them, SAW TOOLS earns a commission at no extra cost to you — this is what keeps our tools free.

Proton Pass

Swiss · Privacy-first

  • End-to-end encryption, audited open-source code
  • Built by the team behind ProtonMail
  • Built-in breach monitoring and email aliases

From $1.99/month (free plan available)

Try Proton Pass

NordPass

Mainstream · Audited

  • Zero-knowledge architecture, regular audits
  • Unlimited sync across all devices
  • Built-in data breach scanner

From $1.79/month (free plan available)

Try NordPass

Dashlane

French · Premium

  • French company, based in Paris
  • VPN included on paid plans
  • Real-time dark web monitoring

From $3.99/month (limited free plan)

Try Dashlane

Prefer 100% open source with no commercial ties? Bitwarden is an excellent free, self-hostable alternative. We earn no commission on this recommendation.

Frequently asked questions

Is it safe to type my password into this checker?

Yes. The tool uses the k-anonymity model: your password is hashed with SHA-1 inside your browser, and only the first 5 characters of that hash are sent to the Have I Been Pwned API. The password itself, and even its full hash, never leave your device — the service cannot determine what you typed.

How can a website check my password without ever seeing it?

Your browser computes the SHA-1 hash locally, then sends only the first 5 characters. The server returns every leaked hash that shares those 5 characters (hundreds of candidates), and the final match runs on your device. The server never learns which one — if any — was yours.

What does “appeared in X breaches” actually mean?

It means that exact password string has shown up X times across the breaches catalogued by Have I Been Pwned. It does not necessarily mean one of your accounts was hacked — but it does mean the password is publicly known to attackers and must never be used again.

My password was not found — am I safe?

Not being in the database is good, but it is not a guarantee of strength. It only means the password has not appeared in the leaks indexed so far. A short or guessable password can still be cracked. Aim for length, randomness, and a unique password per account.

Can I check my email address with this tool?

This tool checks passwords, because the Pwned Passwords range API is free and works entirely client-side. To check whether an email address appears in a breach, use haveibeenpwned.com directly — the email search requires an authenticated key that cannot be safely exposed in a browser.