What is Xposed Passwords?

Welcome to Xposed Passwords, a free platform designed to help the general public check if a password has been compromised and exposed in a data breach.

Our massive password collection is made up of real passwords that have been exposed in various data breaches around the world. To ensure the security of this information, we use a highly secure hashing algorithm called SHA-3 (Keccak-512) to hash and store the passwords in a one-way hash for verification. No passwords are stored in plain text.

For more information on the technical and operational controls we have in place to enhance the security of our platform, check out our blog post 'Xposed Passwords: Your Free Password Checker'.

View all FAQs

Developers Guide

//Include script src as https://cdnjs.cloudflare.com/ajax/libs/js-sha3/0.7.0/sha3.js"

$(document).ready(function() {
    $("#go").click(function(abacus) {
        abacus.preventDefault();
        var pwd_hash = (keccak_512($("#passwd").val()).substring(0, 10));
        var apiUrl = 'https://passwords.xposedornot.com/api/v1/pass/anon/' + encodeURIComponent(pwd_hash);
        var pwd_str = document.getElementById("passwd").value;
        if (pwd_str.length != 0) {
            var xon_response = $.ajax(apiUrl)
                .done(function(n) {
                    $('#message-text').html("Oops : Password looks exposed and hence avoid using this");
                });
        } else {
            $('#message-text').html("Oops! Try again with a valid password. ");
            $('#passwd').focus();
        }
    });
});

			      


// Requirement PHP 7.2 or greater
// Install Keccak library using `composer require kornrunner/keccak-php`

require 'vendor/autoload.php';
use KornRunner\KeccakPHP\Keccak;

if (isset($_POST['submit'])) {
    $pwd_str = $_POST['passwd'];
    if (strlen($pwd_str) != 0) {
        $keccak = new Keccak();
        $keccak->setDigestSize(512);
        $keccak->update($pwd_str);
        $pwd_hash = $keccak->digest();
        $pwd_hash=substr($pwd_hash,0,10);
        $apiUrl = 'https://passwords.xposedornot.com/api/v1/pass/anon/' . urlencode($pwd_hash);
        $xon_response = file_get_contents($apiUrl);
        if ($xon_response) {
            echo "Oops : Password looks exposed and hence avoid using this";
        }
    } else {
        echo "Oops! Try again with a valid password. ";
    }
}


		     
# Uses https://pypi.org/project/pycryptodome
from Crypto.Hash import keccak
import urllib.parse
import requests

def keccak_hash(pwd):
    k = keccak.new(digest_bits=512)
    k.update(pwd)
    return k.hexdigest()[:10]

password = input("Enter the password: ")

if len(password) !=  0:
    pwd_hash = keccak_hash(password.encode())
    koodudal = 'https://passwords.xposedornot.com/api/v1/pass/anon/' + urllib.parse.quote(pwd_hash)
    response = requests.get(koodudal)
    if response.status_code ==  200:
        print('Oops: Password looks exposed and hence avoid using this')
    elif response.status_code ==  404:
        print('Password is safe')
    else:
        print(f'Error: {response.status_code}')
else:
    print("Oops! Try again with a valid password.")
		     
require 'keccak-ruby'
require 'net/http'
require 'uri'

puts "Enter the password:"
password = gets.chomp

if !password.empty?
    pwd_hash = Keccak::Digest.new(512, 0x01).digest(password)[0..9]
    apiUrl = 'https://passwords.xposedornot.com/api/v1/pass/anon/' + URI.encode(pwd_hash)
    uri = URI.parse(apiUrl)
    res = Net::HTTP.get_response(uri)
    if res.code != '200'
        puts "Oops: Password looks exposed and hence avoid using this"
    else
        puts "password is safe"
    end
else
    puts "Oops! Try again with a valid password."
end

                     
                              import org.bouncycastle.jcajce.provider.digest.Keccak;
                              import java.net.HttpURLConnection;
                              import java.net.URL;
                              import java.util.Scanner;
                              public class Main {
                              public static void main(String[] args) throws Exception {
                              Scanner scanner = new Scanner(System.in);
                              System.out.println("Enter the password:");
                              String password = scanner.nextLine();
                              if (!password.isEmpty()) {
                              Keccak.DigestKeccak keccak = new Keccak.Digest512();
                              byte[] hash = keccak.digest(password.getBytes());
                              String pwd_hash = new String(hash).substring(0, 10);
                              String apiUrl = "https://passwords.xposedornot.com/api/v1/pass/anon/" + java.net.URLEncoder.encode(pwd_hash, "UTF-8");
                              URL url = new URL(apiUrl);
                              HttpURLConnection conn = (HttpURLConnection) url.openConnection();
                              conn.setRequestMethod("GET");
                              if (conn.getResponseCode() != 200) {
                              System.out.println("Oops: Password looks exposed and hence avoid using this");
                              } else {
                              System.out.println("Password is safe");
                              }
                              } else {
                              System.out.println("Oops! Try again with a valid password.");
                              }
                              }
                              }
                              

                     

                              
package main

import (
  "encoding/hex"
  "fmt"
  "net/http"
  "net/url"

  "golang.org/x/crypto/sha3"
)

func main() {
  var password string
  fmt.Println("Enter the password:")
  fmt.Scanln(&password)

  if len(password) != 0 {
    hash := sha3.NewLegacyKeccak512()
    hash.Write([]byte(password))
    pwd_hash := hash.Sum(nil)
    apiUrl := "https://passwords.xposedornot.com/api/v1/pass/anon/" + url.QueryEscape(hex.EncodeToString(pwd_hash)[:10])
    fmt.Println(apiUrl)

    resp, err := http.Get(apiUrl)
    if err != nil {
      fmt.Println(err)
      return
    }
    defer resp.Body.Close()

    if resp.StatusCode == http.StatusNotFound {
      fmt.Println("Oops: Password looks exposed and hence avoid using this")
    } else if resp.StatusCode == http.StatusOK {
      fmt.Println("Password is not safe.")
    } else {
      fmt.Printf("Received unexpected status code: %d\n", resp.StatusCode)
    }
  } else {
    fmt.Println("Oops! Try again with a valid password.")
  }
}
                     
extern crate tiny_keccak;
extern crate reqwest;
extern crate hex;

use std::io;
use tiny_keccak::Keccak;
use std::str;

fn main() {
    let mut password = String::new();
    println!("Enter the password:");
    io::stdin().read_line(&mut password).unwrap();

    if !password.trim().is_empty() {
        let mut hasher = Keccak::new_keccak512();
        hasher.update(password.as_bytes());
        let mut res: [u8; 64] = [0; 64];
        hasher.finalize(&mut res);
        let pwd_hash = hex::encode(&res[0..5]); // Get 10 characters of hash
        let apiUrl = format!("https://passwords.xposedornot.com/api/v1/pass/anon/{}", urlencoding::encode(&pwd_hash));

        let resp = reqwest::get(&apiUrl).unwrap();
        if !resp.status().is_success() {
            println!("Oops: Password looks exposed and hence avoid using this");
        } else {
            println!("Password is safe");
        }
    } else {
        println!("Oops! Try again with a valid password.");
    }
}

What should I do if my passwords are exposed?

1. Change your password right away: If you find out your password was compromised in a data breach, change it immediately to a strong and unique password that you're not using anywhere else.

2. Turn on two-factor authentication: Add an extra layer of security to your account by turning on two-factor authentication, which makes it harder for attackers to gain access.

3. Check your account activity: Look at your account activity logs to see if there's been any weird or unauthorized activity, like someone trying to log in or change your settings.

4. Update your security questions: If you had security questions associated with your account, update them, since they may have been compromised too.

5. Check your other accounts: Check if you used the same or similar passwords for any other accounts and update them to strong and unique ones.

6. Keep an eye on your finances: Check your bank and credit card accounts for any transactions you don't recognize or didn't authorize.

7. Report the breach: Let the relevant authorities know about the data breach, whether it's the company that owns the compromised account or a government agency.

8. Use a password manager: Consider using a password manager to create and store strong, unique passwords for all your accounts.

9. Stay alert: Be on the lookout for any signs of identity theft or fraudulent activity, and report anything suspicious right away.

10. Learn more about online security: Educate yourself on the best practices for online security and stay informed about the latest threats and vulnerabilities.

What Should You Do After Data Breach

Join us in shaping this fully open source site! Contributions welcome ❤️ —check out our GitHub .


Privacy Policy Responsible Disclosure Hall of Fame