Security · Privacy · Client-side
Password &
Breach Auditor_
A privacy-first credential checker that runs entirely in the browser. It estimates password strength and crack time with a from-scratch heuristic, and checks whether a password has appeared in a real breach using HaveIBeenPwned k-anonymity — so only the first five characters of its SHA-1 hash ever leave your device.
Overview
Password tools have a trust problem: to tell you if a password is any good, most of them want you to type it into their server. This one never does. Strength is scored locally, and the breach check is built on a clever bit of privacy engineering — k-anonymity — that lets you ask "has this leaked?" without revealing the password, or even its full hash.
What's in it
📊 Strength & entropy
A from-scratch estimator: character-pool entropy with penalties for common passwords, dictionary words (even l33t-spelled), sequences, repeats and digit-only PINs.
⏱ Crack-time estimates
Translates entropy into time-to-crack for two attacker models — a fast offline rig (10 billion guesses/s) and a throttled online login (100/s).
🕵️ k-anonymity breach check
SHA-1 the password in-browser, send only the 5-char prefix to the HIBP range API, then match the full suffix locally against what comes back.
🎲 Passphrase generator
One click produces a strong, memorable word-based passphrase using the crypto-secure getRandomValues — and drops it into the meter so you can see why length wins.
How k-anonymity works here
- Hash locally: the password is SHA-1 hashed in the browser with the Web Crypto API — the raw password never travels.
- Send a prefix only: just the first 5 hex characters of the hash are sent to
api.pwnedpasswords.com/range/<prefix>. That prefix is shared by hundreds of unrelated hashes, so it identifies nothing. - Match the suffix here: the API returns every leaked-hash suffix under that prefix, with breach counts; the page compares them to your suffix locally and reads off the count.
- Honest about limits: the strength score is a transparent heuristic, not a cracking oracle — it's deliberately conservative and explains every penalty it applies.