How Your Privacy Is Protected
Your password is SHA-1 hashed inside your browser. Only the first 5 characters of the 40-character hash are sent to HIBP β making it mathematically impossible for anyone (including HIBP or Konsaltix) to reconstruct your password from the request. This is called k-anonymity.
What Was Sent to HIBP (k-anonymity in action)
π¬ How does k-anonymity keep my password private?
When you type a password, your browser computes itsSHA-1 hash β a fixed-length "fingerprint" of the password. For example, the passwordpasswordalways produces the hash5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
Only the first 5 characters(5BAA6) are sent to HIBP. The API returns roughly 500 different hash suffixes that all begin with those 5 characters. Your browser then checks β entirely locally β whether 1E4C9B93F3F0682250B6CF8331B7EE68FD8 appears in that list.
HIBP sees only 5BAA6, which matches hundreds of thousands of possible passwords. Theycannot determine which password you checked β that's the k-anonymity guarantee. Troy Hunt documented this model in detail attroyhunt.com.
π‘οΈ If Your Password or Email Was Found β Do This Now
Change the password immediately
Change it on every site where you used the same password β attackers try breached credentials across every major service within hours.
Enable two-factor authentication
Even if your password is stolen, 2FA blocks an attacker from logging in. Use an authenticator app, not SMS where possible.
Generate a stronger replacement
Use ourfree Password Generatorto create a cryptographically random replacement no attacker can guess.
Run a full account audit
OurAccount Defense Checklistwalks you through every step to lock down your online presence.
