Password Breach Scanner (Pwned Passwords)

Data breach scanner

Check whether a password has appeared in known public breach dumps using Have I Been Pwned — Pwned Passwords (k-anonymity: only part of the password hash leaves your browser).

Password exposure

Only the first 5 characters of the SHA-1 hash are sent to HIBP; your full password is not uploaded.

Breach data is provided by Have I Been Pwned (Troy Hunt). eSafe is not affiliated with HIBP; we use the public Pwned Passwords range API under their terms.

Why check passwords against breach data?

Reused passwords from public dumps are a common way accounts get hijacked. This password breach scanner uses Have I Been Pwned’s Pwned Passwords service so you can see whether a password has appeared in known corpora—then rotate it and enable 2FA where possible.

How k-anonymity works here

The Pwned Passwords range API never receives your full password: only a short SHA-1 prefix is sent over the network, and your browser completes the match. That limits exposure compared to uploading plaintext to any server—including ours.

Email breach history

To see whether an email address appears in breach records, use the free search on the official Have I Been Pwned website—we do not collect email on this tool.

Limits

No public database covers every leak. A “clean” result does not prove a password was never exposed elsewhere. Use unique passwords, MFA, and safer browsing habits (eSafe helps with extension risk and checkout safety).