Security · Privacy · Client-side

Password &
Breach Auditor_

A privacy-first credential checker that runs entirely in the browser. It estimates password strength and crack time with a from-scratch heuristic, and checks whether a password has appeared in a real breach using HaveIBeenPwned k-anonymity — so only the first five characters of its SHA-1 hash ever leave your device.

Vanilla JS Web Crypto (SHA-1) k-anonymity HIBP range API Entropy model Zero backend
auditor — live passcheck.html
The Password & Breach Auditor showing a strength meter, entropy, crack-time estimates and the breach check
Runs client-side · nothing but a 5-char hash prefix ever leaves the browser Launch auditor →

Overview

Password tools have a trust problem: to tell you if a password is any good, most of them want you to type it into their server. This one never does. Strength is scored locally, and the breach check is built on a clever bit of privacy engineering — k-anonymity — that lets you ask "has this leaked?" without revealing the password, or even its full hash.

What's in it

📊 Strength & entropy

A from-scratch estimator: character-pool entropy with penalties for common passwords, dictionary words (even l33t-spelled), sequences, repeats and digit-only PINs.

⏱ Crack-time estimates

Translates entropy into time-to-crack for two attacker models — a fast offline rig (10 billion guesses/s) and a throttled online login (100/s).

🕵️ k-anonymity breach check

SHA-1 the password in-browser, send only the 5-char prefix to the HIBP range API, then match the full suffix locally against what comes back.

🎲 Passphrase generator

One click produces a strong, memorable word-based passphrase using the crypto-secure getRandomValues — and drops it into the meter so you can see why length wins.

How k-anonymity works here

It's the same "make the dangerous thing safe to try" idea as the weft firewall simulator — here applied to credentials. Open the live auditor →