Password Strength Checker
Real-time entropy, estimated crack time, and optional breach check. Your password stays in your browser unless you explicitly run the breach check.
Optional breach check
We never send your password. Strength scoring runs entirely in your browser. If you click the breach check, your browser sends only the first 5 characters of the SHA-1 hash of your password to api.pwnedpasswords.com; the response is a list of hash suffixes, which your browser compares locally. This is HIBP’s standard k-anonymity flow.
Your master password is the root key for your team's secrets vault. localWiki uses Argon2id key derivation — chosen specifically because it's memory-hard and resists GPU attacks. Start free.
Download FreeHow it works
The strength meter calculates Shannon entropy from the password length and the size of the character pool you used — lowercase, uppercase, digits, symbols, and non-ASCII characters each extend the pool. The resulting bit count is reduced when we detect specific weaknesses: repeated characters, sequential characters (abc or 321), keyboard-row walks, and common leaked words.
Crack time is estimated against an offline attacker running 1011 guesses per second — roughly what a single high-end GPU can do against a weak hash like unsalted SHA-1. A properly hashed password using Argon2id or bcrypt would be many orders of magnitude slower to attack, but the reported time here is a worst-case floor.
The optional breach check uses the Have I Been Pwned Pwned Passwords range API with the Add-Padding header. Only the first five characters of the SHA-1 hash leave your browser; the server returns a list of candidate suffixes with occurrence counts, and your browser compares them locally. This is the same k-anonymity flow 1Password and other managers use for their built-in breach checks.