Password Security Checker

How This Works (Privacy-Preserving)

Your password is NEVER sent to any server. We use a technique called k-Anonymity to check breaches while protecting your privacy:

• Your password is hashed locally using SHA-1 (one-way encryption)
• Only the first 5 characters of the hash are sent to Have I Been Pwned
• The service returns ALL hashes starting with those 5 characters (800-1000 matches)
• Your browser compares the full hash locally to find a match
• Result: Nobody ever knows which specific password you checked

Example: If your password hash is 5BAA6..., we send only 5BAA6 and receive ~900 possible matches. Your actual password stays completely private.

Password Best Practices

• Length matters: Use at least 12-16 characters
• Use unique passwords: Never reuse passwords across sites
• Use a password manager: Let software generate and store strong passwords
• Enable 2FA: Add a second layer of security (authenticator app, hardware key)
• Avoid patterns: Don't use dictionary words, birthdates, or sequential characters
• Check regularly: Periodically verify your passwords haven't been compromised