Password checkup
See how strong a password really is, how long it would take to crack, and whether it has already leaked in a data breach — all without your password ever leaving your browser.
Checked in your browser · k-anonymity breach check · nothing stored
Start typing to see the strength and whether it has leaked.
Your password never leaves your browser. The breach check sends only the first 5 characters of its SHA-1 hash to Have I Been Pwned (k-anonymity), which can’t identify your password. Nothing is logged or stored.
Length wins
Each extra character multiplies the work to crack a password. A long passphrase beats a short, symbol-stuffed one.
Never reuse
A breach on one site only hurts you elsewhere if you reused the password. Unique everywhere keeps the damage contained.
Let software remember
You can’t recall dozens of strong unique passwords — that’s what a password manager is for. Generate, store, autofill.
Generate strong, store safely.
Need a fresh one? Use the generator, then keep it in a password manager so you never have to remember it.
Frequently asked questions
Is it safe to type my password here?
Yes. The strength check happens entirely in your browser. The breach check sends only the first five characters of your password’s SHA-1 hash to Have I Been Pwned (a technique called k-anonymity), so your actual password is never transmitted, logged, or stored.
What does “found in a breach” mean?
It means that exact password has appeared in a known data leak. Attackers feed leaked passwords into automated login attempts, so any password that’s been exposed should be considered burned — change it everywhere you used it.
How is the crack time estimated?
It’s a rough guide based on the password’s length and character mix against fast offline guessing. It assumes a random password — a short, common, or dictionary word will fall far faster than the estimate, which is exactly what the breach check catches.