Thaufin Altaf
back to analyzer

HOW WE
CHECK YOUR
PASSWORD

Five independent checks run the moment you type, all locally in your browser. Here's exactly what each one does, why it matters, and why your password never touches a server.

// six sections

  1. 00Privacy Architecturehow your password stays local
  2. 01Strength Scoringzxcvbn
  3. 02EntropyShannon entropy formula
  4. 03Breach DatabaseHave I Been Pwned · k-anonymity
  5. 04Common Password Liststop-10k + RockYou
  6. 05Pattern Detection5 structural checks
00

PRIVACY ARCHITECTURE

Every check on this site runs inside your browser. Your password is never sent to any server, never logged, and never stored. Here is exactly what happens, and what doesn't.

// what stays local

LOCAL

Strength + Entropy + Patterns

Pure JavaScript functions. They receive your password as a string, compute a result, and return it. No network involved, nothing to intercept.

LOCAL

Wordlist check

The wordlist files (top10k, RockYou) are downloaded once from our own server as plain text. The server only sends files to you, it never receives your password.

LOCAL

Breach check

SHA1 is computed locally using the browser's built-in Web Crypto API. Only the first 5 characters of that hash are ever sent anywhere. See section 03 for the full breakdown.

// what the server sees

your passwordnever
full SHA1 hashnever
first 5 chars of SHA1 (HIBP only)once per check
wordlist filesdownloaded to you
01

STRENGTH SCORING

Most password meters just count character types: uppercase? +1. Number? +1. That's nearly useless. We use zxcvbn, a library originally built by Dropbox, that thinks like an actual attacker.

It checks your password against dictionary words, common names, keyboard patterns, dates, and known sequences, then estimates crack time against realistic hardware.

// score scale

0
Very Weakpassword
1
Weakpassword1!
2
FairTr0ub4dor
3
Strongcorrect-horse-battery
4
Very StrongkX9#mP2$nQ7@vL4!

Crack time assumes an offline attack at 10 billion guesses per second (GPU-level hardware a serious attacker would have).

02

ENTROPY

Entropy measures how unpredictable your password is, in bits. More bits = more possible combinations an attacker has to search. The formula:

bits = length × log₂(pool size)

lowercase only → pool = 26

+ uppercase → pool = 52

+ digits → pool = 62

+ symbols → pool = 94

"hello" = 5 × log₂(26) = 23 bits (very weak)

"kX9#mP2$" = 8 × log₂(94) = 52 bits (moderate)

"kX9#mP2$nQ7@vL4!" = 16 × log₂(94) = 104 bits (strong)

Entropy assumes random character selection. For human-chosen passwords, zxcvbn's crack time estimate is more realistic. Entropy is most accurate for randomly generated passwords.

03

BREACH DATABASE

We check your password against billions of real leaked passwords using Have I Been Pwned, the largest public breach database. But here's the important part: your password never leaves your browser.

This is possible through a technique called k-anonymity. Here's exactly what happens step by step:

// request flow

01

your password

"password123"

never leaves browser
02

SHA1 computed in browser

CBFDAC6008F9CAB4083784CBD1874F76618D2A97

full hash stays local
03

only first 5 chars sent

CBFDA

→ our server → HIBP
04

HIBP returns ~800 matches

all hashes starting with CBFDA

server learns nothing
05

browser checks locally

suffix match found? → count

result rendered

There are 16⁵ = 1,048,576 possible 5-character hex prefixes. The server cannot determine which password you're checking from the prefix alone. That's the k-anonymity guarantee.

04

COMMON PASSWORD LISTS

We also check your password against two locally-stored wordlists. No network request, the lists download to your browser once and are cached. The check is instant on every subsequent visit.

top-10k.txt10,000 entries

A curated list of the most commonly used passwords. If your password is on here, it's the very first thing any attacker tries.

rockyou-top100k.txt59,186 entries

Real passwords from the 2009 RockYou data breach. 32 million plaintext passwords leaked from a social gaming site. It became the standard wordlist for security research and every serious password cracker includes it.

combined coverage: ~69,000 passwords checked locally with O(1) lookup

05

PATTERN DETECTION

Even passwords not in any wordlist can be structurally weak. We run five checks that catch the shortcuts people take when trying to make a password feel complex without actually being complex.

KEYBOARD WALK

qwerty, asdf123, trewq

Four or more consecutive keys along a keyboard row, including reversed patterns like trewq.

REPEATED CHARS

aaaa, 1111111

Four or more of the same character in a row. Caught with a single regex backreference.

SEQUENTIAL

abcd, 1234, zyxw

Four or more characters whose Unicode values step up or down by exactly 1.

L33T SPEAK

p@ssw0rd, s3cur3

Common symbol substitutions like @ → a, 0 → o, 3 → e. Every password cracker has these mapped.

NUMERIC ONLY

1234, 19901231

All-digit passwords up to 8 characters. 10⁸ = 100 million combinations, less than a second on modern hardware.

back to analyzer

THAUFIN ALTAF