Password Strength

Measure password entropy, detect reuse against known breach corpora (k-anonymity Have I Been Pwned lookup), and get concrete advice. Nothing leaves your browser in plaintext.

Check breaches (k-anonymity, first 5 hash chars sent)

About password analysis

This tool rates a password's strength by entropy, character class coverage and common-pattern detection, and optionally checks it against the Have I Been Pwned breach corpus using k-anonymity (only the first 5 hex chars of the SHA-1 hash are sent). The full password never leaves your browser.

Entropy

Entropy is a measure of unpredictability in bits. Every character class (lowercase, uppercase, digits, symbols) expands the search space attackers must brute-force. As rough targets:

Below 40 bits - weak, trivially crackable by a modern GPU.
40-60 bits - ok against slow hashes (bcrypt) but not strong.
60-80 bits - solid for most accounts.
80+ bits - strong, roughly equivalent to a 14-char random password with 4 classes.

Questions

Does my password leave the browser?

Only if you enable the breach check, and even then only the first 5 hex characters of the SHA-1 hash (3 bytes of entropy) are sent. This is the same k-anonymity API that 1Password and Firefox Monitor use.

What's the best strategy?

Passphrases (four or more unrelated words) beat short random strings for memorability and raw entropy. Better still: a password manager generating 20+ random characters per site, protected by a strong master passphrase and MFA.

Why isn't my 'P@ssw0rd!' green?

Common words and predictable substitutions (0 for o, @ for a) are in every attacker dictionary. Length beats clever tricks.

Subnet Calculator

IPv4 + IPv6 CIDR math: range, mask, usable hosts, wildcard.

Ports Reference

Searchable reference of common TCP/UDP ports and services.

API Reference

REST API reference for every tool. Free for non-commercial use.

IP Lookup

Instant geolocation, ISP, ASN, abuse history and reputation for any IPv4 or IPv6 address.