Your password is analyzed entirely in your browser using zxcvbn (Dropbox's password estimator) and Shannon entropy. For breach checking, only the first 5 characters of the SHA-1 hash are sent to HaveIBeenPwned — your full password never leaves this page.
AI cannot calculate exact entropy, estimate real crack times, or check actual breach databases. Password strength requires deterministic computation and live breach data — both outside AI's capability.
Everything runs locally. The breach check uses k-anonymity: only a 20-bit hash prefix is sent remotely. Full hash comparison happens in your browser. Nothing is stored or logged.
Length matters more than complexity. A 20-character passphrase beats a 12-character mixed symbol password. NIST SP 800-63B recommends 15+ characters. Use a password manager to generate and store unique passwords.
Frequently Asked Questions
Is my password sent to any server?
No. All analysis runs locally in your browser. The optional breach check uses k-anonymity: your browser computes the SHA-1 hash, sends only the first 5 hex characters (20 bits) to HaveIBeenPwned, and compares the returned hash suffixes locally. Your full password never leaves this page.
What is entropy and why does it matter?
Entropy measures unpredictability in bits. Each bit doubles the number of guesses needed. A password with 40 bits of entropy requires up to 2^40 guesses. Shannon entropy gives a lower bound; zxcvbn gives a more realistic estimate accounting for patterns, dictionary words, and common substitutions.
What do the crack time estimates mean?
Three scenarios: Online (10,000 guesses/sec - typical login form), Offline GPU (10 billion guesses/sec - fast hash on consumer GPU), and PBKDF2 (1,000 guesses/sec - slow hash like bcrypt/argon2). Real times depend on the site's hashing scheme and rate limiting.
How does the breach check work?
Your browser computes SHA-1(password) and sends the first 5 hex digits to api.pwnedpasswords.com. The API returns all hash suffixes matching that prefix. Your browser checks if your full hash appears in the returned list. If found, your password has appeared in a known data breach.
What makes a password truly strong?
Length is king. A 20-character random passphrase (e.g., "correct horse battery staple") provides ~90 bits of entropy, stronger than "P@ssw0rd!" at 12 chars (~40 bits). Use a password manager to generate and store unique passwords for every account. Enable two-factor authentication wherever possible.
What is the zxcvbn score?
zxcvbn is a password strength estimator from Dropbox. Score 0-4: 0=too guessable (risky), 1=very guessable, 2=somewhat guessable, 3=safely unguessable (moderate), 4=very unguessable (strong). It analyzes patterns, dictionary words, common passwords, and keyboard walks — not just character variety.
Does this tool store or log my password?
Never. All computation happens in your browser with JavaScript. No data is transmitted, stored, or logged. The breach check uses k-anonymity so even the hash prefix sent cannot reconstruct your password. Your privacy is guaranteed.
Comments & Ratings