Free Tool
Has this password leaked?
We hash your password in your browser and only send the first 5 characters of the SHA-1 hash to the Have I Been Pwned k-anonymity API. Nothing is logged on our servers.
Your password never leaves this page. SHA-1 hash → keep first 5 chars → send only those to
api.pwnedpasswords.com/range/<prefix>. Local-only suffix match. Open DevTools → Network and verify.Privacy & how k-anonymity works
Cloudflare and Have I Been Pwned built the k-anonymity range API precisely to let services ask "is this password leaked?" without ever revealing the password. You compute SHA-1, keep the first 5 hex chars, send those to api.pwnedpasswords.com/range/<prefix>, and locally check whether the suffix of your hash appears among the ~500 candidates returned. Cybersecurity Forefront does not run a proxy — your browser talks directly to the API.