Password Breach Checker
Check if your password appeared in a known data breach. 100% private — your password never leaves your browser.
Uses k-Anonymity — only a partial hash is sent · Your password never leaves your browser
How does this work — and why is it private?
CyDuck uses the HaveIBeenPwned Passwords API with a technique called k-Anonymity. Here's exactly what happens when you click check:
- Your password is hashed using SHA-1 entirely in your browser
- Only the first 5 characters of that hash are sent to the API
- The API returns all hashes starting with those 5 characters (thousands of them)
- Your browser compares the full hash against the list — locally, privately
- The result is shown to you. Nothing else is transmitted.
The HaveIBeenPwned database contains over 10 billion compromised passwords collected from publicly known data breaches.
Frequently Asked Questions
Is my password sent to any server?
No. Only the first 5 characters of your password's SHA-1 hash are sent to the HaveIBeenPwned API. Your actual password never leaves your browser.
What does it mean if my password was found in a breach?
It means your password appeared in a publicly known data breach. Stop using it immediately and replace it with a strong, unique password. Use CyDuck's password generator to create a new one.
What is k-Anonymity?
k-Anonymity is a privacy model where only a partial hash is sent to the API. The server returns all hashes matching that prefix, and the comparison happens locally in your browser. Your full password or hash is never transmitted.
My password was not found — does that mean it's safe?
Not necessarily. It means it hasn't appeared in known public breaches. It could still be weak or guessable. Always use a strong, unique password for every account.