ToolBelt

HIBP k-Anonymity Prefix

Hash a password with SHA-1 and show the 5-char prefix for the HIBP range API.

Open tool

Overview

The HIBP k-Anonymity prefix helper hashes a password with SHA-1 locally and shows the 5-character prefix you can send to the Have I Been Pwned range API. The full hash never leaves your browser — only the first 5 hex characters go to HIBP, which returns every leaked hash with that prefix for you to scan client-side.

It is the right way to check whether a password appears in known breaches without uploading the password itself. Engineers writing breach-check features, sysadmins auditing legacy databases, and security-curious users who want to verify a candidate password before using it will all find this useful.

How it works

The Have I Been Pwned Pwned Passwords API exposes a k-Anonymity endpoint at https://api.pwnedpasswords.com/range/<prefix>. You compute SHA-1 over the UTF-8 bytes of the password, take the first 5 uppercase hex characters of the resulting 40-character digest, and request the matching range. HIBP returns about 500–1000 lines, each <remaining-35-hex>:<count>. The client scans the response for the rest of its own hash; if it finds one, the password has been seen in a breach and the count tells you how often.

SHA-1 is used because the original Pwned Passwords dataset was distributed as SHA-1 hashes long before SHA-1's weaknesses became practically relevant for this use case. Pre-image resistance is still strong enough that the API does not leak passwords.

Examples

Password: password
SHA-1:    5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
Prefix:   5BAA6
Suffix to scan for in range response: 1E4C9B93F3F0682250B6CF8331B7EE68FD8

Password: correcthorsebatterystaple
SHA-1:    BF95E1F35B729F86C8A6E0FCA47B4DE514F65AE3
Prefix:   BF95E

Password: hunter2
SHA-1:    F3BBBD66A63D4BF1747940578EC3D0103530E21D
Prefix:   F3BBB

FAQ

Why is SHA-1 still safe here?

The HIBP range API does not rely on collision resistance. The threat model is "can the server identify the password from 5 hex characters?" — and 2^140 candidate hashes for each prefix make that impractical.

Does the password ever leave my browser?

No. The hashing happens locally; only the 5-character prefix is sent over the wire. Anyone watching the request sees a prefix shared by hundreds of thousands of passwords.

What if my hash is in the response?

Stop using that password everywhere. The count tells you roughly how common it is in the breach corpus — anything over zero means it should be considered compromised.

Can I check NTLM hashes too?

HIBP offers a separate NTLM-mode endpoint. This tool focuses on the SHA-1 prefix, since SHA-1 is the canonical Pwned Passwords format.

Try HIBP k-Anonymity Prefix

An unhandled error has occurred. Reload ×