Breached password detection that respects privacy.
Screen passwords against known-compromised sets without sending plaintext passwords. k-Anonymity keeps your users' credentials safe — even from us.
Built for production authentication flows
Privacy-Preserving by Design
k-Anonymity range queries mean you never send the full password hash. LeakJar sees only a short prefix — we cannot reconstruct or identify the original credential.
Configurable Policy Outcomes
Match signals are yours to act on. Block the password outright, require step-up verification, force a reset, or silently notify your security team.
Low-Latency, High-Throughput
p95 response times under 50ms. Designed to sit in the critical path of signup and authentication flows without adding perceptible delay.
Screen at every critical moment
Integrate breach checks wherever passwords are set or changed in your application.
Signup
Prevent users from registering with passwords already known to be compromised. Catch the risk before an account is ever created.
Password Change
Screen new passwords during voluntary changes. Ensure users aren't rotating into another compromised credential.
Password Reset
Enforce breach checks during reset flows. Especially critical after an incident or as part of a forced rotation campaign.
Your policy, your rules
LeakJar detects the risk. You decide the response. Configure policy outcomes per project, per flow, or per risk level.
Block
Reject the password immediately. The user must choose a credential that has not appeared in known breaches.
Step-Up (MFA)
Allow the password but require an additional verification factor. Balances security with user experience.
Force Reset
Accept the password now but mark the account for a mandatory reset within a defined time window.
Notify
Log the match and alert the user or security team without blocking access. Useful during rollout and monitoring phases.