Password Exposure Check

Check whether a password appears in known breach password datasets without sending the full password anywhere.

Private by design. The password is SHA-1 hashed locally, only the first 5 hash characters are sent, and the full password is never stored by Esrok.

How the private check works

The full password stays in the browser. Only a tiny hash prefix leaves the page.

Read the quick explanation

The password is hashed locally with SHA-1 in your browser. Only the first 5 characters of that hash are sent to the API flow, which is the k-anonymity method used by Have I Been Pwned Pwned Passwords.

The returned hash suffix list is then compared locally in the browser, so the full password and full hash are never sent across the network.

What an exposed password means

A password match means it has appeared in breach data before and should not be trusted for important accounts.

See the practical advice

If the password is found, replace it with a long unique password and avoid reusing it anywhere else. Exposure counts can be extremely high for common passwords, which makes them easy targets for automated attacks.

If the password is not found, that is better than a match, but you should still aim for length, uniqueness, and a password manager-friendly workflow.

Related Esrok guides

Use the tool, then deepen the habit side of password security.

Open the guide list

Password Exposure Check

Enter a password to begin

Simple explanation

Source detail

What to do next

Improvement tips

How the private check works

What an exposed password means

Related Esrok guides