Has Your Password Been Leaked? Here's How to Find Out

Every few weeks, another company announces a breach: millions of email addresses, password hashes, and sometimes plain-text credentials dumped onto the open web. If you've reused a password anywhere — even once — there's a real chance it's already circulating in a credential-stuffing list. The good news is you can check whether your passwords have been exposed in seconds, without ever sending the actual password to a third party.

Here's exactly how to do it safely, what the results mean, and what to do next.

Why checking matters more than you think

Attackers don't usually guess passwords. They take leaked credential dumps and replay them across hundreds of services — banks, email providers, GitHub, AWS consoles — hoping someone reused the same login. This is called credential stuffing, and it's responsible for the majority of account takeovers.

If your password appears in any known breach corpus, treat it as fully public. It doesn't matter how complex it is. Tr0ub4dor&3 was strong in 2012; today it's in dozens of wordlists.

The safe way to check: k-anonymity

You should never paste your real password into a random website. The standard safe method uses a technique called k-anonymity, pioneered by Troy Hunt's Have I Been Pwned (HIBP) Pwned Passwords API.

How k-anonymity works

1. Your browser or tool hashes your password locally using SHA-1.
2. Only the first 5 characters of the hash are sent to the API.
3. The server returns every hash in its database that starts with those 5 characters — usually a few hundred.
4. Your tool checks locally whether the rest of your hash is in that list.

The server never sees your password, never sees your full hash, and can't reverse-engineer what you checked. As of writing, HIBP indexes over 850 million unique compromised passwords from hundreds of breaches.

Five practical ways to check your passwords

1. Use Have I Been Pwned directly

Go to haveibeenpwned.com/Passwords. Type a password into the box. It uses k-anonymity under the hood — you can verify this in your browser's DevTools Network tab; only the first 5 hash characters are sent. If a password has appeared in breaches, you'll see a count like "seen 3,861,493 times".

2. Check by email instead of password

At haveibeenpwned.com, enter your email address to see which breaches your account appears in. You won't get the actual leaked password back, but you'll know which services were compromised and roughly when — useful for prioritising which passwords to rotate first.

3. Let your password manager do it

Most modern managers run breach checks automatically:

• 1Password — Watchtower scans your vault against HIBP and flags reused, weak, and breached passwords.
• Bitwarden — Free vault health reports include "Exposed Passwords" and "Data Breach Report".
• Dashlane / Keeper / NordPass — All include dark-web monitoring tiers.

Run the report monthly. Treat any flagged entry as compromised and rotate it.

4. Use browser-built breach warnings

• Chrome — Settings > Autofill and passwords > Google Password Manager > Checkup.
• Firefox — Firefox Monitor integrates HIBP directly into the browser.
• Safari — iCloud Keychain shows "Security Recommendations" for breached and reused passwords.

5. Query the API yourself

If you're a developer auditing user passwords at registration, hit the API directly:

curl https://api.pwnedpasswords.com/range/21BD1

This returns all hash suffixes starting with 21BD1. Compare locally. Never send a full hash. The endpoint is free, unauthenticated, and rate-limited generously.

What the results actually mean

• 0 occurrences — The password hasn't appeared in any indexed breach. That's not the same as "safe forever" — new breaches happen weekly. It just means it's not currently in a public wordlist.
• 1–10 occurrences — Likely from a breach where the original was uncommon. Still compromised. Rotate it.
• 1,000+ occurrences — This is a common password attackers will try first in any credential-stuffing run. Change it immediately, even if you've never used it on a breached site.

What to do when a password is compromised

1. Change it on the affected site first. Use a generated, unique password — 20+ characters, random.
2. Change it anywhere you reused it. Be honest with yourself about reuse; this is where most damage happens.
3. Enable 2FA / MFA. Prefer TOTP apps (Authy, Aegis, 1Password) or hardware keys over SMS.
4. Check session activity. Sign out all other devices in account settings. Review recent logins for unfamiliar IPs or locations.
5. Rotate API keys and tokens if the account had any (GitHub PATs, AWS keys, OAuth tokens).

Test new passwords before you commit to them

Don't just check existing passwords — vet new ones before you save them. A password can be unique to you and still weak (predictable structure, dictionary base word, low entropy). Run any candidate through a strength evaluator that scores entropy, detects common patterns, and flags known-breached values.

AXOX Hub's Password Strength Checker runs entirely in your browser — nothing is uploaded — and gives you an entropy score plus pattern analysis so you can see exactly why a password is weak before you trust it with your accounts. Pair it with a HIBP lookup for a complete picture.

Build a habit, not a one-off check

• Schedule a quarterly password audit in your calendar.
• Subscribe to HIBP email notifications so you're alerted the moment a breach involving your address is added.
• If you run a service, integrate the Pwned Passwords API into your sign-up flow so users can't pick passwords that are already burned.
• Move toward passkeys where supported — they eliminate the password reuse problem entirely.

Audit your passwords now with the free Password Strength Checker on AXOX Hub — no signup, no tracking, fully client-side.