Skip to main content
Toolzer — Free Online Tools

Security · How-to

How to Check if Your Password Has Been Leaked

Billions of usernames and passwords have leaked in breaches over the past decade. Attackers use those lists in "credential stuffing" attacks — trying each email/password pair against thousands of sites. Checking whether your password is in a known breach takes seconds and is safe if done correctly. Here's how.

Why leaked passwords are dangerous

Every time a company gets breached and their user database leaks, that data joins a pool of billions of email + password pairs traded and freely downloaded. Attackers automate "credential stuffing" — feeding those pairs into login forms on banks, cloud services, and social networks. Reused passwords are how a leaked forum account becomes a compromised email, and a compromised email becomes a compromised everything.

The safe way to check: k-anonymity

  1. Your browser computes the SHA-1 hash of your password (locally, never sent).
  2. It sends only the first 5 hex characters of the hash to the Have I Been Pwned API.
  3. The API returns every hash it knows starting with those 5 characters (about 500 on average).
  4. Your browser compares your full hash against the list — locally.
  5. You see whether your password is in a breach without ever transmitting it.

This is the industry-standard approach and the only kind of online password check you should trust.

Step-by-step with Toolzer

  1. Open the Pwned Password Checker.
  2. Type or paste the password you want to check.
  3. Read the result: either "not in any known breach" or "seen N times."
  4. If it's been seen even once — change it, everywhere you use it.

What to do if a password is leaked

  1. Change it immediately on any account that uses it — starting with email, banking, and cloud storage.
  2. Enable two-factor authentication (2FA) on every account that supports it — ideally with an authenticator app or hardware key, not SMS.
  3. Adopt a password manager. 1Password, Bitwarden, Proton Pass — pick one and let it generate unique passwords per site.
  4. Consider passkeys. Where supported, passkeys replace passwords entirely with a keypair — nothing to leak.

Check emails too

Beyond specific passwords, check whether your email address appears in any known breaches at haveibeenpwned.com. You'll see which services leaked and roughly what data (email, password, name, DOB, etc.). Sign up for their free notification service and you'll get an email the next time your address appears in a new breach.

Common mistakes

  • Pasting your password into random sites. If a checker isn't clearly using k-anonymity, don't use it.
  • Only changing on the breached site. If you reused the password, every account is at risk.
  • Adding a number or symbol. Password123!Password124! is not a new password to a credential-stuffing bot with any brains.
  • Relying only on 2FA. 2FA is critical but not a substitute for changing a leaked password.

Try it on Toolzer

Frequently asked questions

Is it safe to check my password on a website?+

Only if the site uses k-anonymity — sending just the first 5 characters of your password's SHA-1 hash, never the password itself. Toolzer's checker uses the Have I Been Pwned API in exactly this way. Never enter a password on a site that doesn't clearly explain the check.

What does 'my password was found in X breaches' mean?+

It means this exact password appeared in a dataset of leaked credentials. Someone, somewhere, used it and their account was breached. If you use the same password, attackers may already be trying it against your email.

Do I need to change my password if it's leaked?+

Yes — and everywhere you use it. Even if this specific account hasn't been attacked yet, credential-stuffing bots try leaked passwords against millions of sites every day.

How do password checkers work without seeing my password?+

SHA-1 hash your password locally → send just the first 5 hex characters to the API → receive back all hashes with that prefix → check locally if your full hash is in the list. The full password never leaves your browser.

How often should I check?+

Whenever a service you use suffers a breach (subscribe to breach notifications), or every few months as a routine hygiene check on your most sensitive passwords.

What if my password isn't in any breach?+

Good — but that only means it hasn't been leaked in a known breach yet. It says nothing about strength. A weak but never-leaked password (like 'kittens2024') is still easily guessable.