How to Check if Your Password Has Been Pwned: A Beginner's Guide
On this page
Here's a question most people can't answer: has your password ever been stolen?
If you're not sure, you're not alone. Data breaches happen so often now that most of us have lost count. In fact, security researchers estimate that over 15 billion passwords are currently circulating on the dark web — that's roughly two passwords for every person on the planet. And the number grows every single day.
The good news? You don't need to be a tech wizard to find out if yours is among them. There are free tools that can tell you in seconds whether your passwords have been exposed. And if they have, there are simple steps you can take to lock things down. This guide walks you through everything — no jargon, no panic, just clear instructions.
What Does It Mean If Your Password Is "Pwned"?
Let's start with the word itself. "Pwned" (pronounced "poned") is internet slang that means someone has been compromised or taken over. It started in gaming culture — when one player completely dominated another, they had been "pwned." In the security world, it means your account credentials have been stolen.
Here's how it usually happens:
- A company gets hacked. A website, app, or service you use suffers a data breach. Think of the big ones you've heard about: LinkedIn, Facebook, Adobe, Marriott, or even smaller sites like forums and online stores.
- Your details get stolen. The hackers walk away with a database full of usernames, email addresses, and passwords. Sometimes these passwords are encrypted, but often they're stored in ways that criminals can crack open.
- Your credentials end up on the dark web. The stolen data gets traded, sold, or published online for other criminals to use.
- Criminals use your password for credential stuffing. This is exactly what it sounds like — they take your email and password and try logging into other websites with it. If you reused that password anywhere else, those accounts are now at risk too.
The scary part is that many breaches go unnoticed by the public. You might have had your password stolen years ago and never known about it — until now.
How to Check if You've Been Pwned
There are several ways to check, but they all rely on the same databases of stolen credentials. Here are the easiest ones:
1. Have I Been Pwned (HIBP) — the main tool
Have I Been Pwned is the gold standard. It's a free website run by security expert Troy Hunt. Here's how to use it:
- Go to haveibeenpwned.com
- Type your email address into the search box
- Click "pwned?" — and within seconds, you'll see a list of every known data breach that includes your email
That's it. No sign-up, no password, no personal data stored. The site is completely safe and is recommended by cybersecurity organisations including the UK's National Cyber Security Centre (NCSC).
If your email shows up in any breaches, the site will tell you which ones and what data was exposed — names, emails, passwords, and sometimes even credit card numbers or physical addresses.
2. Firefox Monitor
If you use the Firefox browser, you already have a built-in breach checker. Firefox Monitor uses the same data as Have I Been Pwned but integrates it directly into your browser. You can enter your email on the Firefox Monitor website, or enable notifications so Firefox alerts you when new breaches affect your accounts.
3. Password manager breach checks
Most modern password managers include a breach monitoring feature. For example, NordPass includes a built-in breach scanner that checks your saved credentials against known data breaches. It tells you which of your passwords have been exposed and which ones you've reused — all in one dashboard. This is by far the most convenient option if you're already using a password manager, as it checks all your saved accounts automatically.
What to Do If You've Been Pwned
Let's say you checked and your email shows up in a breach. Here's what to do, in order:
Step 1: Change that password immediately
Log into the affected account and change the password right away. Use a strong, unique password — at least 12 characters, mixing letters, numbers, and symbols. Our free password generator can create one for you instantly. Don't reuse the old password or any variation of it.
Step 2: Change any other account using the same password
This is the most important step. If you used that same password on any other website — your email, your bank, your Netflix, your online shopping accounts — change those too. Criminals count on password reuse. Every account sharing that password needs a fresh, unique one.
Step 3: Enable multi-factor authentication (MFA)
MFA adds a second layer of protection. Even if a criminal gets your password, they'll need a code from your phone or a fingerprint to get in. Enable MFA on every account that offers it — especially your email, banking, and social media accounts. Most services let you set it up in under two minutes.
Step 4: Use a password generator for the new password
Don't try to invent a "clever" password yourself. Humans are terrible at creating truly random passwords. Instead, use a password generator like Free Strong Password to create a secure, random password. A password manager like NordPass can generate and store these passwords for you, so you never have to remember them.
How to Prevent It in the Future
You can't stop companies from getting hacked, but you can make sure that when they do, your passwords stay safe. Here's how:
Use a unique password for every single account
This is the golden rule of password security. If every account has its own unique password, a breach at one website doesn't affect any of your other accounts. A password manager makes this easy — you only need to remember one master password, and the manager handles the rest.
Use a password generator
Stop making up your own passwords. Use Free Strong Password's password generator to create strong, random passwords instantly. It's free, it runs in your browser, and it doesn't store or track anything you generate.
Enable multi-factor authentication everywhere
According to Microsoft, MFA blocks 99.9% of automated attacks. It's the single most effective security measure you can take. Turn it on for your email, banking, social media, and any other important accounts.
Monitor with breach tools
Subscribe to Have I Been Pwned's notification service so you get an email alert if your accounts appear in future breaches. If you use a password manager with breach monitoring, enable that feature too. Checking once a month takes ten seconds and could save you hours of hassle later.
Frequently Asked Questions
What does "pwned" actually mean?
Pwned (pronounced "poned") is internet slang that means someone has been compromised or taken over. When we say your password has been pwned, we mean it has been stolen in a data breach and is now out there on the internet for criminals to use.
Is it safe to enter my email on Have I Been Pwned?
Yes. Have I Been Pwned is run by Troy Hunt, a well-known security expert. It doesn't store your email address or share it with anyone. The site is recommended by cybersecurity organisations including the UK's NCSC and is used by millions of people worldwide.
What if my password appears in a breach but it's old?
Even if it's an old password, change it immediately if you still use it anywhere. Criminals trade databases of old breaches all the time. If you haven't used that password in years and it was unique to that account, you're probably fine — but it's worth checking you haven't reused it elsewhere.
Can I check if a specific password has been pwned without entering it?
Yes. Have I Been Pwned has a separate tool called Pwned Passwords. You can enter a password (not your email) to check if it has appeared in any data breaches. The site uses k-anonymity so it never sees your full password — it only sends the first 5 characters of its hash. This is safe to use.
How often should I check if my passwords have been pwned?
We recommend checking once a month. New data breaches happen every week, and checking regularly means you can act quickly if one of your accounts is affected. Set a reminder on your phone or subscribe to Have I Been Pwned's notification service for automatic alerts.