Has my password been leaked?

Check a password against the Have I Been Pwned breach database. The password never leaves your browser; we send only the first five characters of the SHA-1 hash.

Privacy by design. We compute the hash locally, send a 5-character prefix to HIBP, and compare the rest of the hash against the response in your browser. HIBP cannot reconstruct the password from a 5-char prefix and Vectel never sees it.

How privacy works here

1. Your browser computes the SHA-1 hash of the password locally. 2. The first 5 hex characters of the hash are sent to api.pwnedpasswords.com over HTTPS. 3. HIBP returns a list of all hash suffixes starting with that prefix, plus their breach counts. 4. Your browser checks if the rest of your hash is in the list, never sending the password or the full hash anywhere.

Better than checking: prevent the leak

• 1Use a password manager (1Password, Bitwarden, Apple/Google) so every account gets a unique long password.
• 2Turn on MFA on every account that supports it. A leaked password without the second factor is mostly harmless.
• 3Stop reusing one password across services. Even strong passwords get leaked when one of the services gets breached.
• 4If you spot a password you actually use here, change it on every account that uses it, not just the one you remember.