Passphrase Guidance

Follow the simple steps below to choose a strong passphrase for your digital accounts.


Passphrase Generator

Generate a passphrase until you find one you like!

gaol thicken 0 ennui

Words provided by 1Password, the full list is available to download here


Check for Leaks!

Check if an email address or password you use has been leaked on to the internet. Email addresses and passwords entered below are not monitored or stored.

  That Email Address Hasn't Been Leaked!

It wasn't found in any publicly leaked lists.

  That Email Address Has Been Leaked!

It was found in publicly leaked lists.

What Should I Do Now?

  • You should change the password on your account for the sites or services listed below. You can use the tools and guidance at the top of this page to help.
  • If you have used the same password on other sites or services, consider changing the password on those accounts too.
  • If the email address was leaked recently, you might see an increase in the number of unexpected messages in your Inbox. Be cautious about following links from senders you don't recognise or those asking for any sensitive details from you such as passwords or payment information. You can find some more guidance on spotting malicious emails on the NCSC website.
  • You can signup to be automatically alerted if your email address is ever leaked in the future, by using the service Have I Been Pwned. The service is free and you only need to provide your email address to use it. Follow the 'Notify Me' link in the main menu.

Who Leaked It?

This tool uses the service Have I Been Pwned. Email addresses may be transmitted outside of the EU.

  That Password Has Been Leaked!

It is associated with leaked accounts.

This doesn't necessarily mean one of your online accounts has been compromised, other people may be using the same password. However, any account that uses this password is at risk.

What Should I Do Now?

  • Immediately change the password on any accounts where it's used. You can use the tools and guidance at the top of this page to help.
  • If you have used a very similar password on any accounts, it should be changed there too.
  • Check any important sites or services where you were using the password, for activity that you don't recognise. Contact the site or service if there are any signs your account was accessed by someone else.
  • Consider using multi- or two-factor authentication (MFA or 2FA) on all online accounts to provide additional protection is your password is leaked. You can find some more guidance on setting up this layer of protection on the NCSC website.
  • On many popular services you can enable 'sign in alerts' that will notify you whenever your account is accessed.

  That Password Hasn't Been Leaked!

It isn't associated with any leaked accounts.

This tool uses the service Have I Been Pwned. All passwords are obscured before transmission and cannot be accessed by the service.