SECURITYApril 15, 2025·6 min read

How Have I Been Pwned Works — and Why k-Anonymity Matters

HaveIBeenPwned lets you check if your password appears in a breach without ever transmitting your password. Here is the k-anonymity model that makes it safe.

What Have I Been Pwned is

Have I Been Pwned (HIBP) is a free service created by Troy Hunt that aggregates data from publicly known data breaches. As of 2025, it contains over 12 billion compromised accounts from more than 800 breaches, including the largest credential leaks in history. When you check a password, you're checking whether it appears in this aggregate dataset.

The k-anonymity implementation

The clever part of HIBP's password checking API is that your actual password never leaves your device. Here is exactly how it works:

  1. Your browser computes the SHA-1 hash of your password locally. SHA-1 of "password123" = "cbfdac6008f9cab4083784cbd1874f76618d2a97"
  2. Only the first 5 characters of that hash are sent to HIBP's API: "CBFDA"
  3. HIBP returns a list of all hashes in its database that start with those 5 characters — hundreds of them, all different passwords
  4. Your browser checks locally whether your full hash appears in that list
  5. HIBP never saw your full hash. HIBP cannot determine which password you were checking

This is k-anonymity: your query is indistinguishable from any other query that shares the same 5-character prefix. Even if HIBP's API was monitored, an observer would see "CBFDA" and have no idea which specific password from the thousands with that prefix was being checked.

How PassGeni implements this

PassGeni's breach checker uses exactly this implementation. The SHA-1 hash is computed in your browser using the Web Crypto API. Only the 5-character prefix is sent. The full list of matching hashes is returned and checked locally. Nothing identifying your password reaches any server — PassGeni's or HIBP's.

You can verify this yourself: open DevTools (F12), go to the Network tab, run a breach check, and inspect the outgoing request. You'll see only the 5-character prefix in the URL.

What it means when a password is flagged

A flagged password doesn't mean your account was specifically breached — it means the password appears in at least one breach dataset. The count shown tells you how many times it appeared. "password" appears over 9 million times. Even a single appearance means the password is in attacker wordlists and should never be used.

Change any flagged password immediately on every site where you've used it. Use PassGeni to generate a replacement with verified high entropy.

Key topics
HaveIBeenPwnedHIBPk-anonymitybreach databasePwned Passwords API
Was this post useful?
Frequently asked questions

Questions about this topic

Does HaveIBeenPwned see my password when I check it?

+

How many passwords does HaveIBeenPwned have indexed?

+

How do I integrate the Pwned Passwords API into my application?

+
More posts

Related reading

Passkeys vs Passwords in 2025: Is the Password Era Actually Over?

7 min read →

Dictionary Attack vs Brute Force: What's the Difference?

6 min read →

Password Security for Remote Work in 2025: The Threat Landscape Has Changed

9 min read →