Billions of passwords have been exposed in data breaches. The Common Password Checker API helps you protect your users by detecting if their chosen password appears in known breach databases or common password lists.
Why Check for Common Passwords?
Despite years of security education, users continue to choose predictable passwords. Studies show that "123456", "password", and "qwerty" remain among the most commonly used passwords year after year.
Attackers maintain dictionaries of billions of compromised passwords from past breaches. When attempting unauthorized access, these known passwords are tried first, making accounts with common passwords extremely vulnerable.
How the Checker Works
The API checks passwords against multiple sources:
Breach Databases
Aggregated lists of passwords exposed in public data breaches, covering billions of unique credentials.
Common Password Lists
Curated lists of frequently used passwords including dictionary words, keyboard patterns, and popular choices.
Privacy-Preserving Checks
Uses k-anonymity techniques so the actual password is never transmitted in plain text to our servers.
Using the Common Password Checker API
TinyFn provides a privacy-preserving endpoint to check passwords:
POST https://api.tinyfn.io/v1/password/check-common
Headers: X-API-Key: your-api-key
Content-Type: application/json
{
"password": "password123"
}{
"is_common": true,
"found_in": ["breach_database", "common_list"],
"breach_count": 24567890,
"recommendation": "This password has been exposed in data breaches. Choose a different password.",
"risk_level": "critical"
}Parameters
| Parameter | Type | Description |
|---|---|---|
password |
string | The password to check (required) |
hash_prefix |
string | SHA-1 hash prefix for k-anonymity check (alternative to password) |
include_count |
boolean | Include breach occurrence count (default: true) |
Code Examples
JavaScript / Node.js
const response = await fetch(
'https://api.tinyfn.io/v1/password/check-common',
{
method: 'POST',
headers: {
'X-API-Key': 'your-api-key',
'Content-Type': 'application/json'
},
body: JSON.stringify({ password: 'password123' })
}
);
const result = await response.json();
if (result.is_common) {
console.log(`Warning: ${result.recommendation}`);
}Python
import requests
response = requests.post(
'https://api.tinyfn.io/v1/password/check-common',
headers={'X-API-Key': 'your-api-key'},
json={'password': 'password123'}
)
result = response.json()
if result['is_common']:
print(f"Found in {result['breach_count']:,} breaches")cURL
curl -X POST "https://api.tinyfn.io/v1/password/check-common" \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"password": "password123"}'Common Use Cases
- User Registration: Prevent new accounts from using compromised passwords
- Password Changes: Block users from switching to known-weak passwords
- Security Audits: Check existing user base for compromised credentials
- Compliance: Meet NIST 800-63B requirements for credential screening
- Enterprise SSO: Enforce password policies across organization
Best Practices
- Check on registration and change: Always verify passwords at creation and modification
- Provide clear feedback: Explain why the password was rejected and suggest alternatives
- Combine with strength analysis: Use alongside password strength checking for comprehensive protection
- Consider periodic checks: Re-validate existing passwords as new breaches are discovered
- Use k-anonymity: Prefer hash-prefix checks for maximum privacy
Use via MCP
Your AI agent can call this tool directly via Model Context Protocol — no HTTP code needed. Add TinyFn to Claude Desktop, Cursor, or any MCP client:
{
"mcpServers": {
"tinyfn-password": {
"url": "https://api.tinyfn.io/mcp/password/",
"headers": {
"X-API-Key": "your-api-key"
}
}
}
}See all password tools available via MCP in our Password MCP Tools for AI Agents guide.
Try the Common Password Checker API
Get your free API key and start protecting users from compromised credentials.
Get Free API Key