Entropy, zxcvbn score, and Have I Been Pwned (k-anonymity). Your password never leaves the browser except the anonymous range query.
Entropy, zxcvbn score, and Have I Been Pwned (k-anonymity). Your password never leaves the browser except the anonymous range query.
Password Strength Meter
Estimate entropy, show zxcvbn score, and query Have I Been Pwned using k-anonymity (SHA-1 prefix only). Your full password never leaves the browser.
Password Strength Meter Use Cases
- Coach users during sign-up flows
- Compare passphrase ideas before adopting them
- Security awareness labs without installing software
- Explain why length and diversity matter
Password Strength Meter FAQ
How does the breach check work?
Your password is SHA-1 hashed locally. Only the first five hex characters are sent to Have I Been Pwned to retrieve candidate matches β a k-anonymity design.
Does fmtly see my password?
No. Analysis runs in your browser. The breach API never receives your full password.
Is zxcvbn enough?
zxcvbn is a strong heuristic. Combine it with a unique password and a password manager.
What if I am offline?
Entropy and zxcvbn still work; the breach count may be unavailable without network access.