How does the password security checker work?

XposedOrNot's password security checker uses Keccak-512 hashing to securely check your password against a database of over 835 million passwords leaked in data breaches. Your actual password is never stored or transmitted. Only a partial hash is sent to the API, ensuring your password remains private.

Is this password leak check really free?

Yes, XposedOrNot's password leak check is completely free with no limits. You can check as many passwords as you want. The tool is open-source and available on GitHub.

What should I do if my password is exposed?

If the password security checker finds your password in a data breach, change it immediately on all accounts where you used it. Enable two-factor authentication, use a password manager to generate unique passwords, and sign up for XposedOrNot's free breach alerts to get notified of future exposures.

Can you see my password when I check it?

No. XposedOrNot uses a privacy-first approach. Your password is hashed locally in your browser using Keccak-512 encryption. Only the first 10 characters of the hash are sent to the server for checking. Your actual password never leaves your device.

Free Password Security Checker. Is Your Password Leaked?

Free password leak check against 835,955,029 exposed passwords from known data breaches. Check if your password was exposed before hackers use it.

Password security Guidelines

What is the Xposed Passwords Leak Checker?

Xposed Passwords is your free password security checker to find out if your password has been leaked in a data breach. Here's what we do:

✓ We maintain a secure database of 835+ million passwords that have been leaked in data breaches

✓ When you enter a password, we check if it's in our database of known leaked passwords

✓ For your security, we never store your actual password. Instead, we use advanced encryption (SHA-3) to safely check your password

Think of us as your password leak checker, like a metal detector for exposed passwords. If your password is found in our database, it means hackers might already know it, and you should change it right away.

Want to learn more? Check out our detailed guide on how Xposed Passwords keeps you safe.

View all FAQs

Password Security Checker API. Developer Guide

//Include script src as https://cdnjs.cloudflare.com/ajax/libs/js-sha3/0.8.0/sha3.js

$(document).ready(function() {
    $("#searchMe").click(function(e) {
        e.preventDefault();
        var password = $("#edhu").val();
        
        if (password.length === 0) {
            $('#message-text').html("Please enter a password to check");
            $('#edhu').focus();
            return;
        }
        
        var pwd_hash = keccak_512(password).substring(0, 10);
        var apiUrl = 'https://passwords.xposedornot.com/api/v1/pass/anon/' + encodeURIComponent(pwd_hash);
        
        $.ajax({
            url: apiUrl,
            method: 'GET',
            success: function() {
                $('#message-text').html("Warning: This password has been exposed in data breaches. Please choose a different password.");
            },
            error: function(xhr) {
                if (xhr.status === 404) {
                    $('#message-text').html("Good news! This password hasn't been found in any known data breaches.");
                } else {
                    $('#message-text').html("An error occurred while checking the password. Please try again.");
                }
            }
        });
    });
});

hash($password, 512)), 0, 10);
        $apiUrl = 'https://passwords.xposedornot.com/api/v1/pass/anon/' . urlencode($pwd_hash);
        
        $context = stream_context_create(['http' => ['ignore_errors' => true]]);
        $response = file_get_contents($apiUrl, false, $context);
        
        if ($response === false) {
            $status = $http_response_header[0];
            if (strpos($status, '404') !== false) {
                return "Password is safe!";
            }
            return "Password has been exposed in data breaches";
        }
        
        return "An error occurred while checking the password";
    } catch (Exception $e) {
        return "Error: " . $e->getMessage();
    }
}

# Requirements: pip install pycryptodome requests
from Crypto.Hash import keccak
import requests
import urllib.parse

def check_password(password: str) -> str:
    if not password:
        return "Please enter a password to check"
    
    try:
        # Create SHA3-512 (Keccak) hash
        k = keccak.new(digest_bits=512)
        k.update(password.encode())
        pwd_hash = k.hexdigest()[:10]
        
        # Call API
        api_url = f'https://passwords.xposedornot.com/api/v1/pass/anon/{urllib.parse.quote(pwd_hash)}'
        response = requests.get(api_url)
        
        if response.status_code == 200:
            return "Warning: Password has been exposed in data breaches"
        elif response.status_code == 404:
            return "Good news! Password is safe"
        else:
            return f"Error: Unexpected response (Status code: {response.status_code})"
            
    except Exception as e:
        return f"Error: {str(e)}"

# Example usage
if __name__ == "__main__":
    password = input("Enter password to check: ")
    result = check_password(password)
    print(result)

# Requirements: gem install digest keccak
require 'digest'
require 'net/http'
require 'uri'

def check_password(password)
  return "Please enter a password to check" if password.nil? || password.empty?
  
  begin
    # Create Keccak-512 hash
    digest = Digest::Keccak.new(512)
    pwd_hash = digest.digest(password)[0..9]
    
    # Call API
    uri = URI("https://passwords.xposedornot.com/api/v1/pass/anon/#{URI.encode_www_form_component(pwd_hash)}")
    response = Net::HTTP.get_response(uri)
    
    case response.code
    when '200'
      "Warning: Password has been exposed in data breaches"
    when '404'
      "Good news! Password is safe"
    else
      "Error: Unexpected response (Status code: #{response.code})"
    end
  rescue => e
    "Error: #{e.message}"
  end
end

# Example usage
puts "Enter password to check:"
password = gets.chomp
result = check_password(password)
puts result

// Requirements: Add BouncyCastle dependency to your project
import org.bouncycastle.jcajce.provider.digest.Keccak;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;

public class PasswordChecker {
    public static String checkPassword(String password) {
        if (password == null || password.isEmpty()) {
            return "Please enter a password to check";
        }

        try {
            // Create Keccak-512 hash
            Keccak.Digest512 digest = new Keccak.Digest512();
            byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));
            String pwd_hash = bytesToHex(hash).substring(0, 10);

            // Call API
            String apiUrl = "https://passwords.xposedornot.com/api/v1/pass/anon/" + 
                           URLEncoder.encode(pwd_hash, StandardCharsets.UTF_8.toString());
            URL url = new URL(apiUrl);
            HttpURLConnection conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("GET");

            int responseCode = conn.getResponseCode();
            if (responseCode == 200) {
                return "Warning: Password has been exposed in data breaches";
            } else if (responseCode == 404) {
                return "Good news! Password is safe";
            } else {
                return "Error: Unexpected response (Status code: " + responseCode + ")";
            }
        } catch (Exception e) {
            return "Error: " + e.getMessage();
        }
    }

    private static String bytesToHex(byte[] bytes) {
        StringBuilder result = new StringBuilder();
        for (byte b : bytes) {
            result.append(String.format("%02x", b));
        }
        return result.toString();
    }

    public static void main(String[] args) {
        // Example usage
        String result = checkPassword("test-password");
        System.out.println(result);
    }
}

package main

import (
    "encoding/hex"
    "fmt"
    "net/http"
    "net/url"
    "golang.org/x/crypto/sha3"
)

func checkPassword(password string) string {
    if password == "" {
        return "Please enter a password to check"
    }

    // Create SHA3-512 (Keccak) hash
    hash := sha3.NewLegacyKeccak512()
    hash.Write([]byte(password))
    pwd_hash := hex.EncodeToString(hash.Sum(nil))[:10]

    // Call API
    apiUrl := fmt.Sprintf("https://passwords.xposedornot.com/api/v1/pass/anon/%s",
        url.QueryEscape(pwd_hash))
    
    resp, err := http.Get(apiUrl)
    if err != nil {
        return fmt.Sprintf("Error: %v", err)
    }
    defer resp.Body.Close()

    switch resp.StatusCode {
    case http.StatusOK:
        return "Warning: Password has been exposed in data breaches"
    case http.StatusNotFound:
        return "Good news! Password is safe"
    default:
        return fmt.Sprintf("Error: Unexpected response (Status code: %d)", resp.StatusCode)
    }
}

func main() {
    // Example usage
    var password string
    fmt.Print("Enter password to check: ")
    fmt.Scanln(&password)
    
    result := checkPassword(password)
    fmt.Println(result)
}

// Cargo.toml dependencies:
// [dependencies]
// tiny-keccak = { version = "2.0", features = ["keccak"] }
// reqwest = { version = "0.11", features = ["blocking"] }
// urlencoding = "2.1"

use tiny_keccak::{Hasher, Keccak};

fn check_password(password: &str) -> String {
    if password.is_empty() {
        return "Please enter a password to check".to_string();
    }

    // Create Keccak-512 hash
    let mut hasher = Keccak::v512();
    let mut output = [0u8; 64];
    hasher.update(password.as_bytes());
    hasher.finalize(&mut output);
    let pwd_hash = hex::encode(&output[..5]); // First 10 hex chars

    // Call API
    let api_url = format!(
        "https://passwords.xposedornot.com/api/v1/pass/anon/{}",
        urlencoding::encode(&pwd_hash)
    );

    match reqwest::blocking::get(&api_url) {
        Ok(response) => match response.status().as_u16() {
            200 => "Warning: Password has been exposed in data breaches".to_string(),
            404 => "Good news! Password is safe".to_string(),
            code => format!("Error: Unexpected response (Status code: {})", code),
        },
        Err(e) => format!("Error: {}", e),
    }
}

fn main() {
    // Example usage
    println!("Enter password to check:");
    let mut password = String::new();
    std::io::stdin().read_line(&mut password).unwrap();
    let result = check_password(password.trim());
    println!("{}", result);
}

What should I do if my passwords are exposed?

1. Change your password right away: If you find out your password was compromised in a data breach, change it immediately to a strong and unique password that you're not using anywhere else.

2. Turn on two-factor authentication: Add an extra layer of security to your account by turning on two-factor authentication, which makes it harder for attackers to gain access.

3. Check your account activity: Look at your account activity logs to see if there's been any weird or unauthorized activity, like someone trying to log in or change your settings.

4. Update your security questions: If you had security questions associated with your account, update them, since they may have been compromised too.

5. Check your other accounts: Check if you used the same or similar passwords for any other accounts and update them to strong and unique ones.

6. Keep an eye on your finances: Check your bank and credit card accounts for any transactions you don't recognize or didn't authorize.

7. Report the breach: Let the relevant authorities know about the data breach, whether it's the company that owns the compromised account or a government agency.

8. Use a password manager: Consider using a password manager to create and store strong, unique passwords for all your accounts.

9. Stay alert: Be on the lookout for any signs of identity theft or fraudulent activity, and report anything suspicious right away.

10. Learn more about online security: Educate yourself on the best practices for online security and stay informed about the latest threats and vulnerabilities.

What Should You Do After Data Breach

Join us in shaping this fully open source site! Contributions welcome ❤️ at our GitHub.

Dark Mode

Free Password Security Checker. Is Your Password Leaked?

What is the Xposed Passwords Leak Checker?

Password Security Checker API. Developer Guide

What should I do if my passwords are exposed?

What Should You Do After Data Breach

Legal

Community

Trust

Follow Us

AI Summary