PwdFortress

Password Strength Checker

Check your password's strength and scan for breaches via HIBP. Entirely in your browser.

100% client-side · no data transmitted

How this tool works

01

Local analysis

Entropy is calculated from the character set used (uppercase, lowercase, digits, symbols) and length. Weak patterns are also detected: common words, keyboard sequences, repetitions and year patterns.

02

Crack time estimation

Assuming a brute-force attack at 10 billion attempts/second (modern GPU), crack time is estimated from entropy: 2^bits / 10^10 seconds. Above 60 bits, an attack takes years of continuous effort.

03

HIBP breach check (optional)

When you click the check button, a SHA-1 hash is computed client-side. Only the first 5 characters (prefix) are sent to the Have I Been Pwned API. Returned suffixes are compared locally — your full password never leaves your device.

Your password never leaves your browser

Strength analysis is entirely local: no network calls. For the breach check, only 5 characters of the SHA-1 hash travel (k-anonymity). Have I Been Pwned receives a generic prefix — it cannot reverse-engineer your password from it. Open DevTools Network tab to verify this yourself.

Create and store strong passwords

A strong password (at least 16 characters, uppercase + digits + symbols) produces entropy above 80 bits, making brute-force attacks practically impossible even with specialised hardware.

Once you have a strong password, store it in a password manager. It encrypts your vault locally before any cloud sync.

Guide: how to create a strong password →Our comparison: best password manager 2026 →

Store your passwords securely

A strong password stored insecurely is worthless. Bitwarden, Proton Pass and NordPass are open-source, auditable and free.

Try Bitwarden (free)Try Proton Pass (free)Try NordPass
Generate a strong password

Frequently asked questions

Is my password sent over the internet?

No. Strength analysis is 100% local. For the HIBP check, only the first 5 characters of your password's SHA-1 hash are transmitted (k-anonymity). Neither the full hash nor the plaintext password ever leaves your browser — Have I Been Pwned cannot derive your password from the prefix.

What is Have I Been Pwned?

Have I Been Pwned (HIBP) is a public database created by security researcher Troy Hunt, compiling over 10 billion credential pairs from known data breaches. Its password check API uses k-anonymity so the full password hash is never exposed.

How is entropy calculated?

Entropy is calculated as L × log₂(N), where L is password length and N the character pool size (26 lowercase, 26 uppercase, 10 digits, 32 symbols). For example, a 16-character password using all sets gives 16 × log₂(94) ≈ 104 bits.

What minimum score do you recommend?

Aim for at least 'Strong' (60+ bits). For critical accounts (primary email, banking, password manager), target 'Very Strong' (80+ bits) — that means 16+ characters with uppercase, digits and symbols.

What should I do if my password was breached?

Change it immediately on every service where you used it. Enable two-factor authentication (2FA) on those accounts. Use a password manager to create and store unique passwords for every service.