TPToolpazar

Global Araç

Password Breach Checker

Şifreniz bu sayfadan asla çıkmaz

Şifrenizi tarayıcınızda SHA-1 ile özetleriz, ardından yalnızca özetin ilk 5 karakterini Have I Been Pwned. Sunucu yaklaşık 800 özet sonekiyle yanıt verir ve asıl karşılaştırma burada gerçekleşir. Buna k-anonymity denir — 1Password ve Chrome'un kullandığı yaklaşımla aynıdır.

A free checker that tells you whether a password has shown up in any of the hundreds of credential breaches tracked by Have I Been Pwned. If it has, attackers have it — and automated bots will be trying it on email, banking, and cloud accounts right now. Change it everywhere you’ve used it, and make the new one unique per site.

You never send the password itself. The tool hashes your password locally with SHA-1, sends only the first 5 hex characters to HIBP, and compares the reply against the rest of the hash in your browser. This is called k-anonymity. It’s the same mechanism 1Password and Chrome’s password-leak warning rely on. For generating a new password once you need to rotate, use the password generator.

Nasıl Kullanılır

  1. Type or paste a password into the box.
  2. Click Check — it hashes locally and sends only 5 characters of the hash.
  3. A green box means it’s not in HIBP’s breach corpus; red means rotate it now.
  4. Click Clear when done so the field resets.

Ne Zaman Kullanılır

  • Periodically auditing passwords you reuse across multiple sites.
  • Verifying a candidate password isn’t already compromised before adopting it.
  • After hearing about a major breach (LinkedIn, Adobe, Yahoo), checking whether your passwords were affected.
  • When migrating to a password manager — checking each existing password for breach status before storing.

Ne Zaman Kullanılmaz

  • On a shared / public computer where someone could read your password before you check.
  • For real-time login attempts — this is for retrospective audit, not auth-time check.
  • As proof of password security — passing this check means ‘not yet leaked’, not ‘will never be leaked’.

Yaygın Kullanım Senaryoları

  • Annual password hygiene check — review all reused passwords against HIBP.
  • Onboarding to 1Password — bulk-check all existing passwords for breach status.
  • Investigating after receiving a Have I Been Pwned alert email about a service.
  • Security training demo — show users that ‘password123’ is in 24M+ breaches.

Sık Sorulan Sorular

How does k-anonymity actually protect my password?

Your password is SHA-1 hashed locally in your browser (e.g. 'password' becomes '5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8'). Only the FIRST 5 hex characters ('5BAA6') are sent to HIBP. HIBP returns ALL hashes that start with '5BAA6' (typically 500-1000 hashes). Your browser then checks the full hash locally against that list. HIBP never sees your full hash, never sees the password, can't reverse-engineer your input. This is the same protocol Apple iCloud Passwords, 1Password Watchtower, and Chrome's password monitor use.

What's the largest leaked password database HIBP knows about?

HIBP's Pwned Passwords v8 contains 847+ million unique password hashes from breaches including Adobe (2013, 153M passwords), LinkedIn (2012, 117M), Yahoo (2013, 1B accounts though hashed), Dropbox (2012, 68M), and hundreds more. Common passwords like '123456' appear millions of times across breaches. If your password shows up at all, attackers have it. The 'count' shows how many breaches it appeared in — even 1 occurrence means it's compromised.

Should I check passwords I'm currently using?

Yes — that's the primary use case. If a password you currently use shows up in HIBP, an attacker can attempt credential-stuffing attacks (trying the same email + password on hundreds of sites). Change it immediately, especially for: email (gateway to everything), banking, primary social media, password manager master password. Use unique passwords per site so one breach doesn't cascade. A password manager is essentially mandatory for this; humans can't remember 100+ unique passwords.

Why isn't my password showing as breached if it's a common word?

Common dictionary words ARE in the database. If '123456' or 'password' show as 'not breached,' you may have a typo or extra character. The check is exact-match. 'Password' (capital P) and 'password' are different hashes; only one may be in the database (though both probably are). For testing, try '123456' — it should show as breached 24+ million times.

Are special characters required for a strong password?

Length matters more than complexity. NIST 2017 guidelines recommend long passphrases (15+ characters of random words like 'correct horse battery staple') over short complex passwords ('P@ssw0rd!1'). A 20-character lowercase passphrase has more entropy than an 8-character mixed-case symbol-laden password. Most modern systems accept passwords up to 64+ characters. Use a password manager to generate 25+ character random strings; you only need to remember the manager's master password and your operating system's login. The era of memorized site-specific passwords is over.

What should I do if my password IS in the breach database?

Immediate steps: (1) Stop using it — change it on every site where you used it. (2) Enable 2FA / multi-factor authentication on critical accounts (email, banking, password manager). (3) Switch to a password manager (1Password, Bitwarden, Dashlane) and generate unique passwords for every site. (4) Check 'haveibeenpwned.com' with your email to see WHICH services breached your account. (5) Monitor financial accounts for unauthorized activity. (6) Consider a credit freeze if SSN was potentially exposed.