Sign in Subscribe

This Python Script Checks If Your Passwords Are Leaked Online

A simple yet powerful script to alert you if your credentials have been exposed in a data breach — using HaveIBeenPwned’s API.

Aashish Kumar

Aashish Kumar

3 min read
This Python Script Checks If Your Passwords Are Leaked Online
Photo by Pawel Czerwinski on Unsplash

Your passwords might already be out there — and you wouldn’t even know.

This Python Script Checks If Your Passwords Are Leaked Online

We’ve all reused passwords. That one “super strong” password we made in 2015? It’s probably floating around in some dark web dump right now.

If attackers get hold of even one of your passwords, they can potentially:

  • Gain access to your personal and professional accounts
  • Use credential stuffing to test it across multiple services
  • Blackmail or phish you with sensitive data

And the worst part? You likely wouldn’t know until the damage is already done.

That’s where this Python script comes in. It checks if your password has appeared in any known data breaches — without ever exposing the password itself.

In this article, I’ll walk you through how it works and how you can run it on your system in under 5 minutes.

What Is HaveIBeenPwned (And Why Should You Trust It)?

HaveIBeenPwned (HIBP) is a free and trustworthy service created by security researcher Troy Hunt. It aggregates data from hundreds of public breaches — think Dropbox, LinkedIn, Adobe, etc. — and lets users check if their credentials have been compromised.

The best part? HIBP offers a secure public API that supports anonymous password searches using the k-Anonymity model, so your actual password never leaves your machine.

How This Python Script Works (Spoiler: It’s Genius)

The script uses a privacy-preserving technique based on SHA-1 hashing and the k-Anonymity model.

Here’s the logic:

  1. Hash your password using SHA-1.
  2. Send only the first 5 characters of the hash to HIBP.
  3. HIBP returns a list of leaked password hashes that share that prefix.
  4. You compare locally to see if your full hash is in the list.

This way, HIBP never sees your actual password.

The Python Script

# check_password.py 
import hashlib 
import requests 
import sys 
 
def request_api_data(query_char): 
    url = f'https://api.pwnedpasswords.com/range/{query_char}' 
    res = requests.get(url) 
    if res.status_code != 200: 
        raise RuntimeError(f'Error fetching: {res.status_code}, check API and try again.') 
    return res 
 
def get_password_leaks_count(hashes, hash_to_check): 
    hashes = (line.split(':') for line in hashes.text.splitlines()) 
    for h, count in hashes: 
        if h == hash_to_check: 
            return int(count) 
    return 0 
 
def pwned_api_check(password): 
    sha1_password = hashlib.sha1(password.encode('utf-8')).hexdigest().upper() 
    first5, tail = sha1_password[:5], sha1_password[5:] 
    response = request_api_data(first5) 
    return get_password_leaks_count(response, tail) 
 
def main(args): 
    for password in args: 
        count = pwned_api_check(password) 
        if count: 
            print(f'⚠️ "{password}" was found {count} times. You should change your password.') 
        else: 
            print(f'✅ "{password}" was NOT found. Carry on!') 
 
if __name__ == '__main__': 
    if len(sys.argv) <= 1: 
        print("Usage: python check_password.py [password1] [password2] ...") 
    else: 
        main(sys.argv[1:])

How to Run It (Step-by-Step)

  • Install Python (if not already):
python --version

If it’s not installed, download it here.

  • Save the script as check_password.py.
  • Open a terminal and run:
python check_password.py yourpassword123 anotherpassword

Example output:

⚠️ "123456" was found 23,432,432 times. You should change your password. 
✅ "myC0mplic@tedP@ss!" was NOT found. Carry on!

Is This Really Safe?

Yes — and here’s why:

  • The script never sends your full password to the internet.
  • It only shares the first 5 characters of your hashed password.
  • All comparisons are done locally on your machine.
  • It uses the official HIBP API, which is designed with security in mind.

This is one of the rare cases where you can verify your password’s safety without risking even more exposure.

Bonus: Check All Your Passwords at Once

You can modify the script to check a list of saved passwords from a file:

with open("passwords.txt") as file: 
    passwords = [line.strip() for line in file] 
 
main(passwords)

Just make sure that file is securely stored (or better yet, deleted after use).

Pro Tips to Stay Ahead of Breaches

Even if none of your passwords are leaked now, it doesn’t mean they won’t be tomorrow. Here’s how to stay secure:

  • Use a password manager like Bitwarden or 1Password to generate unique passwords.
  • Enable two-factor authentication (2FA) wherever possible.
  • Avoid reusing passwords across services.
  • Set reminders to audit your passwords quarterly.
  • Use passphrases — longer, memorable combinations like: correct-battery-staple-42.

Final Thoughts: Security Is a Moving Target

We live in a time where data breaches are inevitable. But how we respond — proactively or reactively — makes all the difference.

This script isn’t just a cool Python project — it’s a personal security audit that takes 5 minutes but could save you months of pain. Run it now. Share it with your developer friends. And take control of your digital hygiene before someone else does.

What’s Next?

If you enjoyed this script:

  • Try building a CLI tool around it.
  • Extend it to check your email against HIBP.
  • Add it to your daily shell aliases.
Secure code. Safe habits. Better sleep.

Photo by Al Elmes on Unsplash

Read more