Have I Been Pwned MCP Server

Overview Inspect Schema Related Servers Score Discussions

check_password

Verify if a password has been exposed in data breaches using k-anonymity via the Have I Been Pwned API. Ensure account security by identifying compromised passwords.

Instructions

Check if a password has been exposed in data breaches (using k-anonymity)

Input Schema

TableJSON Schema

Name	Required	Description	Default
`password`	Yes	Password to check

Implementation Reference

src/index.ts:287-339 (handler)
The handler function that implements the core logic of the 'check_password' tool. It uses SHA-1 hashing and k-anonymity to query the Pwned Passwords API without sending the full password.
private async handleCheckPassword(args: any) { if (!args.password || typeof args.password !== "string") { throw new McpError( ErrorCode.InvalidParams, "Password is required" ); } // Hash the password with SHA-1 const sha1Hash = crypto.createHash("sha1").update(args.password).digest("hex").toUpperCase(); // Get the first 5 characters (prefix) and the rest (suffix) const prefix = sha1Hash.substring(0, 5); const suffix = sha1Hash.substring(5); // Query the API with just the prefix (k-anonymity) const response = await axios.get(`https://api.pwnedpasswords.com/range/${prefix}`); // Parse the response to find if our suffix is in the list const hashes = response.data.split("\n"); let found = false; let occurrences = 0; for (const hash of hashes) { const [hashSuffix, count] = hash.split(":"); if (hashSuffix.trim() === suffix) { found = true; occurrences = parseInt(count.trim(), 10); break; } } if (found) { return { content: [ { type: "text", text: `⚠️ This password has been exposed in data breaches ${occurrences.toLocaleString()} times!\n\nRecommendations:\n- Stop using this password immediately\n- Change it on any site where you use it\n- Use a unique, strong password for each account\n- Consider using a password manager`, }, ], }; } else { return { content: [ { type: "text", text: "Good news! This password hasn't been found in any known data breaches. However, remember to use strong, unique passwords for each account and consider using a password manager.", }, ], }; } }
src/index.ts:107-116 (schema)
The input schema defining the parameters for the 'check_password' tool (requires a 'password' string).
inputSchema: { type: "object", properties: { password: { type: "string", description: "Password to check", }, }, required: ["password"], },
src/index.ts:104-117 (registration)
Registration of the 'check_password' tool in the ListTools handler, including name, description, and schema.
{ name: "check_password", description: "Check if a password has been exposed in data breaches (using k-anonymity)", inputSchema: { type: "object", properties: { password: { type: "string", description: "Password to check", }, }, required: ["password"], }, },
src/index.ts:167-168 (registration)
Dispatch/registration in the CallToolRequestSchema switch statement that routes calls to the handleCheckPassword method.
case "check_password": return await this.handleCheckPassword(request.params.arguments);

This server cannot be installed

Other Tools

Related Tools

check_email
@Cyreslab-AI/hibp-mcp-server
basic_auth
@ricauts/CyberMCP
auth_bypass_check
@ricauts/CyberMCP
sensitive_data_check
@ricauts/CyberMCP
auth_status
@ricauts/CyberMCP
get_breach_details
@Cyreslab-AI/hibp-mcp-server

Latest Blog Posts

What Is Context Bloat in MCP?
By Om-Shree-0709 on December 16, 2025.
mcp
Context Bloat
MCP Moves to the Linux Foundation: Neutral Stewardship for Agentic Infrastructure
By Om-Shree-0709 on December 15, 2025.
mcp
anthropic
Linux Foundation
Code Execution with MCP: Architecting Agentic Efficiency
By Om-Shree-0709 on December 14, 2025.
mcp
Token bloat

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Cyreslab-AI/hibp-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server