Zero Data RetentionQuantum-Ready Entropy256-bit MinimumClient-Side OnlyPost-Quantum ReadyZero KnowledgeNIST SP 800-63BFIPS 140-3 AlignedNo Account NeededDoD CompliantZero Data RetentionQuantum-Ready Entropy256-bit MinimumClient-Side OnlyPost-Quantum ReadyZero KnowledgeNIST SP 800-63BFIPS 140-3 AlignedNo Account NeededDoD Compliant
Free security tool

Has your password been in a breach?

Check against 900 million+ compromised passwords. Your password never leaves your browser — we use k-anonymity so even the checking service never sees it.

Your password never leaves your browser · k-anonymity via HaveIBeenPwned
How we protect your privacy
01

Your password is hashed using SHA-1 entirely in your browser. It never leaves your device as plaintext.

02

Only the first 5 characters of that hash are sent to the HaveIBeenPwned API — not your password, not the full hash.

03

The API returns all hash suffixes that match those 5 characters. Your browser checks locally if yours is among them.

04

Result: we never know what you checked. HIBP never receives enough data to identify your password. This is k-anonymity.

Frequently asked questions

Does PassGeni see my password?

No. Your password is hashed in your browser using SHA-1. Only the first 5 characters of that hash — never the full hash, never the password — are sent anywhere. Even if someone intercepted the network request, they could not reconstruct your password from 5 characters of a hash.

What is k-anonymity?

k-anonymity is a privacy technique where a query is designed so the response is identical for k different possible inputs. In this case, thousands of different passwords share the same 5-character hash prefix, so the API cannot determine which specific password you checked.

My password wasn't found — does that mean it's safe?

Not necessarily. A password can be weak without appearing in breach databases. Common patterns like 'P@ssword1' or 'Summer2023!' may not appear in breach lists but would be cracked in seconds by a dictionary attack. Check the strength checker to evaluate quality, not just breach history.

What database does this check against?

The HaveIBeenPwned database maintained by security researcher Troy Hunt. It contains over 900 million compromised passwords from hundreds of data breaches including LinkedIn, Adobe, RockYou, and many others.

What users say

"The k-anonymity implementation is real. Only 5 chars of my SHA-1 hash go to HIBP. Checked the network tab myself — my password never left the browser."

Hana J.
Data analyst

"Used the breach checker before setting up my bank app password. Realised my old one showed up 3 times in breach databases. PassGeni probably saved me real money."

Luke S.
Uni student

"The breach checker is honest about how it works. k-anonymity, SHA-1, first 5 chars. Most tools just say 'secure' — this one explains the actual mechanism."

Hamid K.
Cybersecurity student
Try the generator

Now generate a stronger password.

Free, client-side, zero storage. Uses your profession to make it memorable.

Generate my password →