🔒
Your password never leaves your browser
Your password is hashed with SHA-1 locally. Only the first 5 characters of the hash are sent to HaveIBeenPwned's API using k-Anonymity. Your actual password is never transmitted to any server.
SHA-1 Hash (k-Anonymity)
Only the first 5 characters (shown in teal) are sent to the API.
Password Security Tips
- ✓Use a password manager (Bitwarden, 1Password, or KeePass) to generate and store unique passwords.
- ✓Never reuse passwords across different sites — a breach on one site compromises all others.
- ✓Enable two-factor authentication (2FA) on every account that supports it.
- ✓Use passwords with 16+ characters mixing letters, numbers, and symbols.
- ✓Check your email address for breaches at haveibeenpwned.com.
How k-Anonymity Works
1
Your password is hashed with SHA-1 entirely in your browser using the Web Crypto API.
2
Only the first 5 characters of that hash are sent to the HaveIBeenPwned API.
3
The API returns all hashes that start with those 5 characters (hundreds of them) — your hash is anonymous among the crowd.
4
Your browser checks the returned list locally — HIBP never learns which specific hash you queried.