Reefscan is a free tool from Lionfish Cyber Security — Empower. Lead. Defend.
Reefscanby Lionfish
Zero-Knowledge Password Check

Has your password been pwned?

We check your password against 1+ billion known-breached passwords — without ever sending it to our servers.

Only the first 5 chars of the SHA-1 hash leave your browser (k-anonymity). Your actual password is never transmitted.

How does this work?

  1. Your password is hashed to SHA-1 in your browser using the Web Crypto API.
  2. We send only the first 5 hex characters of that hash to the HIBP Pwned Passwords API.
  3. HIBP returns every hash suffix that starts with those 5 characters (~500 results — none of which uniquely identify your password).
  4. Your browser checks if your full hash appears in that list and reports the breach count.

This is the same k-anonymity protocol used by 1Password, Apple, Microsoft Edge, and Cloudflare. Read the k-anonymity spec.