Your password is hashed locally using SHA-1. Only the first 5 characters of the hash are sent to the server. Your actual password never leaves your device.
Email check requires API integration (demo mode)
Check if your email has appeared in known data breaches.
1. Local Hashing: Your password is hashed using SHA-1 entirely in your browser.
2. Partial Transmission: Only the first 5 characters of the hash are sent to the API.
3. Local Comparison: The API returns all hash suffixes matching that prefix. Your browser checks locally if your full hash is in the list.
4. Complete Privacy: The server never knows which specific hash you were checking.
Data from Troy Hunt's breach database