Breach Test

Privacy-first security check

We never store your password. Checks run locally and send only a small hash prefix to HIBP.

How it works

K-anonymity keeps your check invisible

Only a hashed fragment ever leaves your browser. HIBP returns possible matches and your device makes the final comparison, so the full secret never travels.

  • Local hashing: your password is hashed using SHA-1 directly in the browser.
  • Prefix lookup: only the first 5 hash characters are sent to HIBP.
  • Local comparison: the returned list is checked on your device, keeping the full hash private.
  • Transport security: every request is wrapped in HTTPS/TLS.
  • Response padding: HIBP pads every response to a constant size so metadata like payload length reveals nothing extra.
How the privacy-preserving check works
k‑Anonymity password breach checkYour browser hashes a password, sends only the first five characters of the SHA-1 hash to HIBP, receives matching suffixes, and verifies locally whether any suffix matches.1Hash your password & send prefixYour Browser SHA‑1 (password) → 5BAA61E4C9FD8 prefix = 5BAA6 suffix = 1E4C9B93F3FD82Filter by prefix → return candidatesHIBP (range endpoint)Returns suffix list for prefix 5BAA6F0E1D2C3B4…682 : 12034A92B9333…ADC : 301AB12CD34EF…F83 : 3Send only the prefix via HTTPSSuffixes with 5BAA6 as prefix3Confirm locally: does suffix match?No match (not found)

Frequently Asked Questions