🔐 K-ANONYMITY — Your password never leaves your device

Password Breach Checker

Check if your password was exposed in known data breaches — anonymously and privately

🔐 How We Protect Your Privacy
  1. Your password is hashed using SHA-1 entirely in your browser
  2. Only the first 5 characters of the hash are sent to the API
  3. The API returns all hash matches for that prefix (~500 results)
  4. Your browser checks locally if your password's hash is in the list
  5. Your actual password NEVER leaves your device
This is called k-anonymity — the same model used by Have I Been Pwned (HIBP), trusted by security researchers worldwide and endorsed by Troy Hunt, Microsoft, and NCSC.
🔍 Check a Password
🔐 Technical detail: SHA-1 hash computed via crypto.subtle.digest('SHA-1', ...) in your browser. First 5 hex chars sent to api.pwnedpasswords.com/range/{prefix}. Response contains ~500 hash suffixes checked locally. Zero privacy risk.
📋 Bulk Password Check
Paste one password per line to check multiple passwords at once.
📧 Email Breach Check: To check if your email address was in a breach, visit haveibeenpwned.com directly. PassKit only checks passwords, not email addresses.

🚨 If Your Password Was Found — What to Do

  1. Change the password on every site where you use it immediately
  2. Generate a new strong password using PassKit's generator
  3. Use a unique password for every site going forward
  4. Enable two-factor authentication (2FA) on important accounts
  5. Consider using a password manager to manage unique passwords everywhere

How Does PassKit Check Passwords Without Exposing Them?

PassKit.in uses the HaveIBeenPwned Pwned Passwords API with k-anonymity — a privacy model that makes it mathematically impossible for the server to learn which password you checked. Here is exactly what happens when you click "Check Password":

  1. Your browser computes the SHA-1 hash of your password (e.g., 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8)
  2. Only the first 5 characters (5BAA6) are sent to the HIBP API over HTTPS
  3. The API returns all hash suffixes that start with 5BAA6 — typically 400–900 results
  4. Your browser checks locally whether your full hash suffix appears in that list
  5. Result: safe or compromised — displayed instantly, nothing transmitted except 5 harmless characters

What Is k-Anonymity?

K-anonymity is a privacy concept where a query is indistinguishable from at least k−1 other queries. In the HIBP model, sending only 5 hex characters means your query matches approximately 500 other hashes — the API cannot determine which of those 500 you care about. This technique was designed by Troy Hunt (creator of HIBP) and Cloudflare researchers, and is endorsed by NCSC (UK), Microsoft, and security researchers worldwide.

What Is SHA-1 Hashing?

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function that converts any input into a fixed 40-character hexadecimal string. It is a one-way function — you cannot reverse a SHA-1 hash to obtain the original password. PassKit.in uses the browser's native crypto.subtle.digest('SHA-1', ...) — no external library required. While SHA-1 is deprecated for digital signatures, it remains appropriate for this HIBP lookup use case.

What Happens If My Password Is Found in a Breach?

A result showing your password appeared in breaches means that exact password string has been exposed in at least one known data breach and is now in attacker databases. You should change that password immediately on every account where you use it. Use PassKit.in's password generator to create a new, unique password for each account, and store them in a password manager.

Frequently Asked Questions

HaveIBeenPwned (HIBP) is a service by security researcher Troy Hunt that collects passwords exposed in data breaches — over 10 billion compromised passwords as of 2025. When PassKit.in checks a password, it sends only the first 5 characters of the SHA-1 hash to HIBP's API. The API returns ~500 matching hashes. Your browser checks locally if your full hash is in that list. Your actual password never travels over the network.
On PassKit.in, yes — because your password is hashed entirely in your browser before any network request. The SHA-1 hash is computed locally via crypto.subtle.digest(), and only 5 of the resulting 40 characters are sent over the network. It is mathematically impossible to recover your original password from 5 hex characters out of context.
K-anonymity ensures your query blends in with hundreds of other queries. Sending the first 5 hash characters returns ~500 matching hashes from the HIBP server. The server cannot determine which of those 500 hashes you are looking for — your query is indistinguishable from 499 others. This privacy model was co-developed by Troy Hunt and Cloudflare in 2018.
Change it immediately on every account where you use it. Use PassKit.in's password generator to create a unique, strong replacement for each account. Never reuse passwords — if one account is breached, unique passwords prevent attackers from accessing your other accounts (credential stuffing attacks).
As of 2025, HaveIBeenPwned contains over 10 billion compromised passwords collected from hundreds of data breaches including LinkedIn (117M), Adobe (153M), Collection #1–5, RockYou2021 (8.4B), and many others. If your password appears even once in this database, it is considered compromised and should be replaced immediately.