How does k-anonymity protect my password?

Your password is hashed with SHA-1 in your browser, and only the first 5 characters of that hash are sent to the API. HIBP returns every breached hash sharing that prefix, and the final match is done locally. The full password and full hash never leave your device.

Does a match mean my account is hacked?

No. A match means the password itself appears in a public breach corpus — somewhere, in some breach. It does not mean your specific account is compromised, but it does mean the password is known to attackers and should never be used.

Why does it use SHA-1 and not a stronger hash?

The Have I Been Pwned Pwned Passwords range API is built around SHA-1 prefixes, so the tool must use SHA-1 to query it. SHA-1 here is only an index into a public list — it is not protecting your password, the k-anonymity model is.

Is a not-found result a guarantee my password is safe?

No. Not found only means the password is not in the HIBP corpus. A weak but unbreached password is still easy to guess, so you should always combine this check with a strength check and never reuse passwords.

Do I need an API key?

No. The Pwned Passwords range endpoint is a free, public, keyless API. This tool calls it directly from your browser with the Add-Padding header so even the response size does not reveal whether a match was found.

Have I Been Pwned — k-Anonymity Breach Checker

The Have I Been Pwned Pwned Passwords service lets you check whether a password has ever appeared in a known data breach. The clever part is how it does this without seeing your password: through a technique called k-anonymity. This tool implements that protocol faithfully, so you can check real credentials with confidence that nothing sensitive is exposed.

How it works

The k-anonymity flow has four steps, the first and last of which happen entirely in your browser:

Your password is hashed with SHA-1 locally using the Web Crypto SubtleCrypto API, producing a 40-character hex hash.
Only the first 5 characters (the prefix) are sent to https://api.pwnedpasswords.com/range/{prefix}.
The API returns every breached hash suffix sharing that prefix — typically several hundred — each with the number of times it has been seen in breaches.
Your browser searches that list for the remaining 35 characters of your hash. If it is there, the count tells you how exposed the password is.

Because the server only ever sees a 5-character prefix shared by many thousands of passwords, it cannot tell which one you were checking — and the response is padded so its size leaks nothing either.

Tips and notes

A high count is a red flag: a password seen millions of times is in every attacker’s first guess list. Stop using it immediately.
A count of zero is reassuring but not a strength rating. Pair this with the entropy meter to confirm the password is also hard to guess.
If the check fails to connect, it is almost always a transient network issue — retry. Your password is never stored, so there is no risk in re-running it.
This relies on the live HIBP range service. It is a free public API and needs no key, but it does require a network connection (the hashing and matching are local; only the prefix lookup goes out).