BREACH LOOKUP

PASSWORD
CHECK

Has your password shown up in known breach data?
Check without sending the full password.

01 Your password is hashed locally in your browser
02 Only the first 5 characters of that hash are sent
03 Possible matches are returned and checked on your device

◈ Your full password never leaves your device. Only the first 5 characters of its SHA-1 hash are transmitted.
K-ANONYMITY MODEL

This uses Troy Hunt's Pwned Passwords k-anonymity API. Your full password hash is never sent, only a 5-character prefix. Possible matches come back and the final check happens in your browser. Learn how Pwned Passwords protects password range searches

What this check can and cannot tell you

A match means the password appears in the public Pwned Passwords corpus and should not be reused. Change it anywhere it still protects an account, then turn on two-factor authentication for important services. No match is useful, but it is not proof that the password is strong or private. A unique password generated by a password manager is still the best baseline.

TRACED does not connect the password check to an email address, account name, or browsing profile. The page exists to make the exposure workflow easier to understand without asking for more personal data than the check requires.

The safest way to use the result is simple: if the password appears in breach data, retire it everywhere. Start with email, banking, cloud storage, school, work, shopping, and social accounts because those accounts can be used to reset other services. Then replace weaker variants that share the same base phrase or pattern.

If the password does not appear, still treat it as one signal rather than a full security review. Long, unique passwords are stronger than reused memorable passwords, and a password manager makes that habit easier to maintain. TRACED keeps the check narrow so the page can explain risk without becoming an account-monitoring service.