Frequently Asked Questions
How is password strength calculated?
Strength is measured in entropy bits — the higher the number, the more guesses an attacker needs. The score is calculated in three steps:
- Base entropy from character variety (lowercase, uppercase, digits, special symbols) and length — each extra character multiplies the total combinations.
- Structural reduction: perfect repeats (abababab) and long identical-character runs (aaabbb) are detected and entropy is reduced to reflect that structure.
- Pattern penalties: −40 bits for known common words or phrases, −15 bits for keyboard sequences (qwerty, 12345) or years.
The effective entropy maps to five levels: Very Strong ≥ 80 bits, Strong ≥ 60, Fair ≥ 40, Weak ≥ 20, Very Weak below. Passwords shorter than 8 characters are capped at Weak regardless of entropy.
Is my password sent anywhere when I check it?
All strength checks — entropy, pattern detection, and crack time estimate — run entirely in your browser. Your password is never transmitted and never leaves your device.
The optional breach check is powered by HaveIBeenPwned (haveibeenpwned.com), a free public service that collects passwords exposed in real-world data breaches worldwide. Your privacy is protected by design: only the first 5 characters of a SHA-1 hash (a one-way scrambled code that cannot be reversed) of your password are sent to the service — never the password itself. The comparison happens locally in your browser, making it technically impossible for anyone to learn what you typed.
What is entropy and why does it matter?
Entropy measures unpredictability in bits. A higher bit count means exponentially more combinations an attacker must try. Every extra character from a larger character set roughly doubles the search space. As a practical guide:
- < 40 bits — weak, crackable quickly in an offline attack.
- 40–59 bits — adequate for most everyday accounts when the site uses secure hashing (bcrypt, Argon2).
- 60–79 bits — strong, recommended for email, banking, and social media.
- ≥ 80 bits — ideal for a master password or password manager vault.
Note that with modern secure hashing the algorithm matters as much as entropy — even 50 bits provides years of real-world protection against offline attacks.
What does "found in breaches" mean?
It means the exact password appeared in a known data breach compiled by HaveIBeenPwned. Even a single appearance means attackers have it in their dictionaries — stop using it immediately and change it everywhere you have used it.