Password Leak Checker

This page will check with's APIs to see if your password has been leaked. I encourage you to view this page's source (secondary click (right click) -> View page source) to verify that this page isn't doing anything weird with your password.

The way this works is simple:

  1. Gather password from input
  2. Hash password with SHA-1 to get a hex string
  3. Take the first 5 characters of that hex string and send it to{first 5 hash chars}
  4. That request sends back a list of all hashes that begin with the first 5 characters you sent
  5. Check client side if your hash is in the list

Because of this, your full hashed password isn't sent anywhere. The first 5 characters aren't enough to figure out what your password is. Even if someone was able to get your returned list of hashes with your first 5 characters, they wouldn't even know if your full hash was found in the list.