Password Strength Checker

Entropy in one line

Entropy (in bits) estimates how many guesses an attacker would need on average to find your password. log2(pool_size) × length is the simple ceiling, but real attackers don't try random characters; they try common patterns first. So we discount for things like dictionary words, all-lowercase, sequential characters, repeats, keyboard walks, and common substitutions.

Why "time to crack" depends on the attacker

The same password takes wildly different times to crack depending on how it's stored on the defender's side:

• Plain SHA-256 / MD5: GPUs can compute billions per second. A 10-char lowercase password falls in hours.
• bcrypt / Argon2 / scrypt: deliberately slow. The same password might take a thousand times longer because each guess costs more than a CPU cycle.
• Online (have to send each guess to a server): rate-limited by network and the server's anti-brute-force. Even weak passwords survive online attacks for a long time.

The honest summary

Length matters more than complexity. A 20-character all-lowercase passphrase is harder to crack than an 8-character "Hu7!tBn3" if both use the same hash. Use a password manager and generate random ones whenever possible.

How the breach check stays private (k-anonymity)

A strong password can still be unsafe if it has already leaked in a breach, because attackers try known-leaked passwords first. The optional breach check tells you whether yours is one of them, without ever sending it:

• Your browser computes the SHA-1 hash of the password locally.
• It sends only the first 5 hex characters of that hash to the Have I Been Pwned range API. Hundreds of different passwords share any 5-character prefix, so the service cannot tell which one you have.
• The API returns every leaked hash that starts with those 5 characters. Your browser compares the rest of the hash locally and reports a match.

The password and its full hash never leave the page. This is the same model password managers use. Data from Have I Been Pwned.