This tool is all about making sure your password isn't leaked, and we want to keep it that way. Your password is never sent to our servers. Here's how:

When you type in a password in the input field, we use the SHA-1 algorithm to hash your password.

We then send only the 5 first characters of that hash to our API, which returns a list potential hashes.

That list is then compaired against your full password hash, and if one is found, there's some extra information about how many times that hash has been registered in HIBP's dataset.

This ensures that your password is never actually sent over the internet.