Password safety

Is your password any good, and has it leaked?

Test a password's strength and check it against billions of breached passwords, without the password ever leaving your browser. Strength is measured locally. The breach check sends only the first five characters of a hash, never the password.

Test a password

Waiting for input

Generate a passphrase instead

Diceware: random words from the EFF list, picked with your browser's secure random generator. Easy to remember, brutal to crack. Nothing is generated on our server.

What leaves your browser

For strength: nothing, the analysis runs entirely in your browser. For the breach check: your password is hashed with SHA-1 in your browser and only the first 5 characters of that hash are sent to our server, which forwards them to the Have I Been Pwned range API. The full hash and the password never leave your device; the matching happens locally. Generated passphrases never leave your browser. Verify in the source.

Do this instead of memorising passwords

Use a password manager

One strong master password, unique random passwords everywhere else. Bitwarden is free and open source; 1Password is a polished paid option.

Prefer passphrases for the ones you type

For your master password and device logins, a six-word passphrase beats a short complex string and is far easier to recall.

Turn on two-factor authentication

Even a breached password is far less useful to an attacker when a second factor is required. Use an authenticator app or a hardware key.

These are unpaid recommendations chosen on merit. If that ever changes, this line will say so.