Security Logic
Discover how we check your password without ever knowing what it is.
Local Hashing
Your password is immediately transformed into a 40-character fingerprint using the SHA-1 algorithm. This happens on your device.
Prefix Extraction
We only take the first 5 characters of that fingerprint. These 5 characters are common to thousands of different passwords.
The Range Query
We send those 5 characters to the Have I Been Pwned database. They return a list of every leaked hash that starts with those 5 characters.
Response: [Suffix A, Suffix B...]
Local Match
Finally, we check if the rest of your fingerprint matches any suffix in that list. If it does, your password was found in a breach.
Result: Found / Safe
Privacy First
This technique is called k-Anonymity. Because we only share 5 characters, the server never knows which specific password you're checking. Your actual password never leaves your browser.