Free tool

Password Strength & Breach Checker

A local strength meter, plus an optional, privacy-preserving check against known data breaches.

Type a password to see its strength.

Assumes 10 billion guesses/second — a common rate for an offline attack against a fast, unsalted hash.

This estimates a random password's strength by character set. It has no dictionary awareness — a real word or common phrase is weaker than this number suggests.

Check if it's been exposed

The strength meter below runs entirely offline: it estimates entropy from the character types you use and your password's length, then converts that into a rough time-to-crack against an offline attack. It has no idea what a “common word” or “common pattern” is — it's a character-set estimate, not a full strength model, and it will overestimate a real word or predictable phrase.

The breach check is a separate, opt-in step. It uses the same k-anonymity method Bitwarden, 1Password and Chrome use: your password is hashed in your browser, and only the first 5 characters of that hash are sent to Have I Been Pwned's API — never the password, and never the full hash. Nothing happens automatically; you decide when to check.

How to use it

  1. 01Type a password to see its entropy, strength band and estimated crack time — computed locally as you type.
  2. 02Click “Check for breaches” if you also want to see whether it's appeared in a known leak. This is the only step that contacts a server.
  3. 03If it's weak or has been breached, generate a new one with the password generator instead.

Frequently asked questions

Is my password ever sent anywhere?

No. The strength meter never leaves your browser. The optional breach check hashes your password locally and sends only the first 5 characters of that hash — never the password itself, never the full hash. Have I Been Pwned can't reconstruct your password from that.

Why does the strength meter not check for common words or patterns?

This tool estimates entropy from character-set size and length only, with no dictionary or pattern awareness — it's the honest, dependency-free version of a strength check. A password like “Sunshine1!” scores reasonably here but is actually weak, because it's a predictable word plus a common suffix. Prefer a long, random password from the generator over a memorable phrase.

What does “found in a breach” actually mean?

It means that exact password has appeared in at least one publicly known data breach collected by Have I Been Pwned — millions of people have reused it, and it's in every serious attacker's guess list. Stop using it immediately, everywhere, even if it was never “yours” in that specific breach.

Related tools

This is what Purgify automates.

Connect your cloud accounts and Purgify finds duplicates and reclaimable space like this — across all of them, on a schedule.

Available very soon

Want early access? Write to us at [email protected]