Our password leak test helps you determine how secure a password is. With our first test, the entered password is checked against HIBP's database of real passwords to determine if yours has been previously exposed in data breaches. The database contains hundreds of millions of real passwords. Additionally, we check how well your password can withstand potential bruteforce attacks (both online and offline). Both together can give you an idea about the security of your chosen password.
To keep your password as secure as possible, both tests run exclusively in your browser and neither your password nor a complete password hash is transmitted over the Internet. You can find more details about this at the bottom of the page.
First the important information - your complete password will not be transferred over the Internet for verification. The verification is performed exclusively in your Internet browser.
For the verification, a SHA1 hash is generated locally in the browser from your password. From this SHA1 hash the first 5 characters (of the 40 characters long hash) are sent to the external database of HaveIBeenPwned (by Troy Hunt). From this database all password hashes are now sent to your internet browser, which contain the same 5 characters. For security reasons the list of returned password hashes is always filled with dummy entries. Only locally your browser will now check if the complete password hash is present in the returned list.
If you want details of the check, you can read Troy Hunt's blog about the technical details.
If you have any questions, you can also contact our service directly. Please note: we will also never ask you for your password.