Password checker
and breach verification
Check your password strength, entropy, and estimated crack time. Verify if it has been exposed in known data breaches. Generate secure passwords instantly.
Check your password security
Enter a password to analyse its strength, or generate a new secure one. All calculations are performed locally in your browser — nothing is sent to any server.
Password check
How it works: k-anonymity protocol
Your browser computes the SHA-1 hash of your password
Only the first 5 characters of the hash are sent to the API
The API returns thousands of hashes that start with those 5 characters
Your browser checks locally if the full hash matches — nobody knows which password you checked
Generate secure password
All calculations are performed locally in your browser. No passwords are saved or transmitted to external servers, except for the breach check which uses the k-anonymity protocol from Have I Been Pwned.
Understanding password security
A strong password is your first line of defence against unauthorised access. Understanding how password strength is measured helps you make better choices when creating or updating your credentials.
Entropy
Measures randomness in bits. Higher entropy means more possible combinations and longer crack times.
Crack time
Estimated time to brute-force the password at 10 billion guesses per second (high-end offline attack).
Character variety
Using lowercase, uppercase, digits, and symbols increases the character set size and overall entropy.
Password length
Length has the greatest impact on security. Each additional character multiplies the number of possible combinations.
Data breaches
Even a strong password is unsafe if it has been leaked. The breach check uses Have I Been Pwned with k-anonymity.
Password managers
Use a password manager to generate and store unique passwords for every account, eliminating reuse risks.
For enterprise-grade identity protection including multi-factor authentication, SSO, and access governance, see our Digital Identity Management page.
Frequently asked questions about password security
Answers to common questions about password strength, breach checks, and best practices.
Yes. All strength calculations (entropy, crack time, character analysis) run entirely in your browser. Nothing is sent to any server. For the data breach check, only the first 5 characters of the SHA-1 hash are sent to the Have I Been Pwned API using the k-anonymity protocol, so your actual password is never transmitted.
Entropy measures the randomness of a password in bits. The higher the entropy, the harder the password is to crack through brute-force attacks. A password with 60+ bits of entropy is considered strong, while 128+ bits is very strong. Entropy depends on both the length of the password and the variety of character types used (lowercase, uppercase, digits, symbols).
The estimated crack time is calculated assuming a brute-force attack at 10 billion guesses per second, which represents a high-end offline attack using specialised hardware. The actual time could be shorter if the password follows common patterns or longer if rate-limiting or other protections are in place.
The breach check queries the Have I Been Pwned database, which contains billions of passwords exposed in known data breaches. If your password appears in the database, it means attackers have it in their dictionaries and can try it instantly. You should change any breached password immediately and avoid reusing it across services.
A secure password should be at least 16 characters long, use a mix of lowercase, uppercase, digits, and symbols, and be unique for each account. Avoid dictionary words, personal information, and common patterns. The built-in generator creates cryptographically random passwords that meet these criteria. For managing many unique passwords, use a password manager.
Protect your business identities
From multi-factor authentication to identity governance and access management: we help you secure every digital identity in your organisation. Contact us for a consultation.