Check if a password has been exposed

XoN is a collection of passwords that have been made public, with a total of 835,955,029 such passwords. The use of these exposed passwords can put your online security at risk.

Password security Guidelines

What is Xposed Passwords?

Xposed Passwords is your free security tool to check if hackers already know your password. Here's what we do:

✓ We maintain a secure database of 835+ million passwords that have been leaked in data breaches

✓ When you enter a password, we check if it's in our database of known leaked passwords

✓ For your security, we never store your actual password. Instead, we use advanced encryption (SHA-3) to safely check your password

Think of us as your password safety checker - like a metal detector for compromised passwords. If your password is found in our database, it means hackers might already know it, and you should change it right away.

Want to learn more? Check out our detailed guide on how Xposed Passwords keeps you safe.

View all FAQs

Developers Guide

//Include script src as https://cdnjs.cloudflare.com/ajax/libs/js-sha3/0.8.0/sha3.js

$(document).ready(function() {
    $("#searchMe").click(function(e) {
        e.preventDefault();
        var password = $("#edhu").val();
        
        if (password.length === 0) {
            $('#message-text').html("Please enter a password to check");
            $('#edhu').focus();
            return;
        }
        
        var pwd_hash = keccak_512(password).substring(0, 10);
        var apiUrl = 'https://passwords.xposedornot.com/api/v1/pass/anon/' + encodeURIComponent(pwd_hash);
        
        $.ajax({
            url: apiUrl,
            method: 'GET',
            success: function() {
                $('#message-text').html("Warning: This password has been exposed in data breaches. Please choose a different password.");
            },
            error: function(xhr) {
                if (xhr.status === 404) {
                    $('#message-text').html("Good news! This password hasn't been found in any known data breaches.");
                } else {
                    $('#message-text').html("An error occurred while checking the password. Please try again.");
                }
            }
        });
    });
});

hash($password, 512)), 0, 10);
        $apiUrl = 'https://passwords.xposedornot.com/api/v1/pass/anon/' . urlencode($pwd_hash);
        
        $context = stream_context_create(['http' => ['ignore_errors' => true]]);
        $response = file_get_contents($apiUrl, false, $context);
        
        if ($response === false) {
            $status = $http_response_header[0];
            if (strpos($status, '404') !== false) {
                return "Password is safe!";
            }
            return "Password has been exposed in data breaches";
        }
        
        return "An error occurred while checking the password";
    } catch (Exception $e) {
        return "Error: " . $e->getMessage();
    }
}

# Requirements: pip install pycryptodome requests
from Crypto.Hash import keccak
import requests
import urllib.parse

def check_password(password: str) -> str:
    if not password:
        return "Please enter a password to check"
    
    try:
        # Create SHA3-512 (Keccak) hash
        k = keccak.new(digest_bits=512)
        k.update(password.encode())
        pwd_hash = k.hexdigest()[:10]
        
        # Call API
        api_url = f'https://passwords.xposedornot.com/api/v1/pass/anon/{urllib.parse.quote(pwd_hash)}'
        response = requests.get(api_url)
        
        if response.status_code == 200:
            return "Warning: Password has been exposed in data breaches"
        elif response.status_code == 404:
            return "Good news! Password is safe"
        else:
            return f"Error: Unexpected response (Status code: {response.status_code})"
            
    except Exception as e:
        return f"Error: {str(e)}"

# Example usage
if __name__ == "__main__":
    password = input("Enter password to check: ")
    result = check_password(password)
    print(result)

# Requirements: gem install digest keccak
require 'digest'
require 'net/http'
require 'uri'

def check_password(password)
  return "Please enter a password to check" if password.nil? || password.empty?
  
  begin
    # Create Keccak-512 hash
    digest = Digest::Keccak.new(512)
    pwd_hash = digest.digest(password)[0..9]
    
    # Call API
    uri = URI("https://passwords.xposedornot.com/api/v1/pass/anon/#{URI.encode_www_form_component(pwd_hash)}")
    response = Net::HTTP.get_response(uri)
    
    case response.code
    when '200'
      "Warning: Password has been exposed in data breaches"
    when '404'
      "Good news! Password is safe"
    else
      "Error: Unexpected response (Status code: #{response.code})"
    end
  rescue => e
    "Error: #{e.message}"
  end
end

# Example usage
puts "Enter password to check:"
password = gets.chomp
result = check_password(password)
puts result

// Requirements: Add BouncyCastle dependency to your project
import org.bouncycastle.jcajce.provider.digest.Keccak;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;

public class PasswordChecker {
    public static String checkPassword(String password) {
        if (password == null || password.isEmpty()) {
            return "Please enter a password to check";
        }

        try {
            // Create Keccak-512 hash
            Keccak.Digest512 digest = new Keccak.Digest512();
            byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));
            String pwd_hash = bytesToHex(hash).substring(0, 10);

            // Call API
            String apiUrl = "https://passwords.xposedornot.com/api/v1/pass/anon/" + 
                           URLEncoder.encode(pwd_hash, StandardCharsets.UTF_8.toString());
            URL url = new URL(apiUrl);
            HttpURLConnection conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("GET");

            int responseCode = conn.getResponseCode();
            if (responseCode == 200) {
                return "Warning: Password has been exposed in data breaches";
            } else if (responseCode == 404) {
                return "Good news! Password is safe";
            } else {
                return "Error: Unexpected response (Status code: " + responseCode + ")";
            }
        } catch (Exception e) {
            return "Error: " + e.getMessage();
        }
    }

    private static String bytesToHex(byte[] bytes) {
        StringBuilder result = new StringBuilder();
        for (byte b : bytes) {
            result.append(String.format("%02x", b));
        }
        return result.toString();
    }

    public static void main(String[] args) {
        // Example usage
        String result = checkPassword("test-password");
        System.out.println(result);
    }
}

package main

import (
    "encoding/hex"
    "fmt"
    "net/http"
    "net/url"
    "golang.org/x/crypto/sha3"
)

func checkPassword(password string) string {
    if password == "" {
        return "Please enter a password to check"
    }

    // Create SHA3-512 (Keccak) hash
    hash := sha3.NewLegacyKeccak512()
    hash.Write([]byte(password))
    pwd_hash := hex.EncodeToString(hash.Sum(nil))[:10]

    // Call API
    apiUrl := fmt.Sprintf("https://passwords.xposedornot.com/api/v1/pass/anon/%s",
        url.QueryEscape(pwd_hash))
    
    resp, err := http.Get(apiUrl)
    if err != nil {
        return fmt.Sprintf("Error: %v", err)
    }
    defer resp.Body.Close()

    switch resp.StatusCode {
    case http.StatusOK:
        return "Warning: Password has been exposed in data breaches"
    case http.StatusNotFound:
        return "Good news! Password is safe"
    default:
        return fmt.Sprintf("Error: Unexpected response (Status code: %d)", resp.StatusCode)
    }
}

func main() {
    // Example usage
    var password string
    fmt.Print("Enter password to check: ")
    fmt.Scanln(&password)
    
    result := checkPassword(password)
    fmt.Println(result)
}

// Cargo.toml dependencies:
// [dependencies]
// tiny-keccak = { version = "2.0", features = ["keccak"] }
// reqwest = { version = "0.11", features = ["blocking"] }
// urlencoding = "2.1"

use tiny_keccak::{Hasher, Keccak};

fn check_password(password: &str) -> String {
    if password.is_empty() {
        return "Please enter a password to check".to_string();
    }

    // Create Keccak-512 hash
    let mut hasher = Keccak::v512();
    let mut output = [0u8; 64];
    hasher.update(password.as_bytes());
    hasher.finalize(&mut output);
    let pwd_hash = hex::encode(&output[..5]); // First 10 hex chars

    // Call API
    let api_url = format!(
        "https://passwords.xposedornot.com/api/v1/pass/anon/{}",
        urlencoding::encode(&pwd_hash)
    );

    match reqwest::blocking::get(&api_url) {
        Ok(response) => match response.status().as_u16() {
            200 => "Warning: Password has been exposed in data breaches".to_string(),
            404 => "Good news! Password is safe".to_string(),
            code => format!("Error: Unexpected response (Status code: {})", code),
        },
        Err(e) => format!("Error: {}", e),
    }
}

fn main() {
    // Example usage
    println!("Enter password to check:");
    let mut password = String::new();
    std::io::stdin().read_line(&mut password).unwrap();
    let result = check_password(password.trim());
    println!("{}", result);
}

What should I do if my passwords are exposed?

1. Change your password right away: If you find out your password was compromised in a data breach, change it immediately to a strong and unique password that you're not using anywhere else.

2. Turn on two-factor authentication: Add an extra layer of security to your account by turning on two-factor authentication, which makes it harder for attackers to gain access.

3. Check your account activity: Look at your account activity logs to see if there's been any weird or unauthorized activity, like someone trying to log in or change your settings.

4. Update your security questions: If you had security questions associated with your account, update them, since they may have been compromised too.

5. Check your other accounts: Check if you used the same or similar passwords for any other accounts and update them to strong and unique ones.

6. Keep an eye on your finances: Check your bank and credit card accounts for any transactions you don't recognize or didn't authorize.

7. Report the breach: Let the relevant authorities know about the data breach, whether it's the company that owns the compromised account or a government agency.

8. Use a password manager: Consider using a password manager to create and store strong, unique passwords for all your accounts.

9. Stay alert: Be on the lookout for any signs of identity theft or fraudulent activity, and report anything suspicious right away.

10. Learn more about online security: Educate yourself on the best practices for online security and stay informed about the latest threats and vulnerabilities.

What Should You Do After Data Breach

Dark Mode