Password Strength Meter

// Password Strength Meter

Your password never leaves your browser. Strength analysis is performed entirely on your device. The breach check only sends a partial hash — your actual password is never transmitted.

Tips

Use at least 12 characters

Mix uppercase, lowercase, numbers, and symbols

Use a unique password for every account

Secure Password Generator →

How Password Strength Is Measured

Password strength is measured in bits of entropy — a mathematical representation of how unpredictable a password is. The formula considers the size of the character pool (lowercase, uppercase, digits, symbols) raised to the power of the password length. Higher entropy means more possible combinations an attacker must try.

For example, a password using only lowercase letters (26 characters) has about 4.7 bits of entropy per character. Add uppercase (52 total) and you get 5.7 bits. Include digits and symbols (95+ characters) and each character contributes about 6.6 bits. A 16-character password with the full character set yields over 100 bits of entropy — practically unbreakable by brute force.

Have I Been Pwned Check

This tool checks your password against the Have I Been Pwned database of over 700 million compromised passwords using k-anonymity. Only the first 5 characters of the SHA-1 hash are sent — the full password never leaves your browser. If a match is found, your password appeared in a known data breach and should be changed immediately.

FAQ

What is password entropy?

Entropy measures password unpredictability in bits. Each bit doubles the number of possible combinations. A password with 60 bits of entropy has 2^60 (about 1 quintillion) possible combinations, making brute-force attacks impractical.

How does the breach check protect my privacy?

We use k-anonymity: your password is SHA-1 hashed locally, and only the first 5 characters of the hash are sent to the API. The server returns all hashes starting with those 5 characters, and the comparison happens entirely in your browser.

Is "time to crack" accurate?

It's an estimate assuming 10 billion guesses per second (a realistic rate for modern GPU clusters). Actual crack time depends on the attack method, hardware, and whether your password matches common patterns.

My password wasn't found in breaches — is it safe?

Not necessarily. An unfound password means it hasn't appeared in known public breaches. It could still be weak to dictionary attacks, pattern matching, or targeted guessing. Always aim for high entropy.