HIBP Password Check (k-anonymity)

This tool checks if your password (or its SHA-1 hash) appears in known breaches using the Have I Been Pwned range API. It never sends the full password to HIBP – only the first 5 characters of the SHA-1 hash.

Mode A: Enter password (server will hash)

Local server will compute SHA-1 and only query HIBP with the first 5 characters.
Planned API request:
SHA-1 prefix:
URI: https://api.pwnedpasswords.com/range/[prefix]
Only the 5-character prefix of the SHA-1 will be sent.

Mode B: Client-side hash (send SHA-1 only)

Local server will compute SHA-1 and only query HIBP with the first 5 characters.

Planned API request:
SHA-1 prefix:
URI: https://api.pwnedpasswords.com/range/[prefix]
Only the 5-character prefix of the SHA-1 will be sent.

Tips: Use a password manager, enable MFA, and never reuse passwords. The HIBP Range API requires no API key, but please include a descriptive User-Agent and respect rate limits. Consider HTTPS even locally.