Password health check

Privacy-first password audit. Your password never leaves your device — breach checking uses k-anonymity (only the first 5 characters of the SHA-1 hash are sent).

Your password is checked securely using the k-anonymity method. We hash your password locally with SHA-1 and send only the first 5 characters of the hash to Have I Been Pwned's range API. Your actual password never leaves this browser. No logs, no storage.

Password to check

Press Enter to check. Nothing is stored — each check is independent.

Generate a strong password

—

Length18

Include numbersInclude symbolsExclude lookalike chars (Il1O0)

Generated on your device using crypto.getRandomValues with rejection sampling (no modulo bias). Nothing is sent to any server.

Email breach check

Enter an email to see which public breaches have included it. This query goes through our server (the HIBP key stays server-side). No email address is stored.

Crack-time estimates assume a modern GPU running ~10 billion guesses/sec against an unsalted hash. A service that hashes with bcrypt/argon2 would be slower by 6+ orders of magnitude, which is why reputable sites use those. Treat crack-time as an order-of-magnitude read on relative strength.