About this tool

A pure front-end password checkup. Enter a password and it tells you whether it's appeared in any known breach, how strong it is, and roughly how long it would take to crack.

Why your password stays safe

1. Everything runs in your browser

The password you type is never sent to any server. It lives only in your browser's memory and is gone when you reload.

2. HIBP k-anonymity for breach lookups

We use Have I Been Pwned's Pwned Passwords API. It's designed so you can query without sending the full password:

1. Your browser SHA-1s the password.
2. Only the first 5 hex characters of that hash (e.g. 21BD1) are sent to HIBP.
3. HIBP returns every full hash that starts with those 5 characters (about 800–1000 rows).
4. The comparison happens locally in your browser.

HIBP learns that someone queried a given bucket; it can never know which specific password you checked.

3. zxcvbn for strength estimation

zxcvbn is the password-strength engine open-sourced by Dropbox. Instead of just counting characters, it checks for dictionary words, keyboard walks, common substitutions, dates, and so on — then estimates offline slow-hash cracking time. We use the TypeScript port zxcvbn-ts; all dictionaries run on the client.

Engineering choices

• Zero backend. A static site on Cloudflare Pages — no server code, no database.
• No cookies, no localStorage for password data, no accounts.
• The zxcvbn dictionary is dynamically imported, so the first paint of the homepage stays lean.

How to verify this yourself

Open your browser's DevTools → Network. Press Check. You should see exactly one request to GET api.pwnedpasswords.com/range/XXXXX, containing only the first 5 characters of the SHA-1 hash. There is no other outbound traffic carrying the password.