About HowWeak

How It Works

When you enter a password, the security analysis happens entirely in your browser. Your password never leaves your device. The analysis checks multiple security criteria based on current standards (NIST, BSI).

Additionally, a SHA-256 hash of your password is generated in your browser and sent to our Cloudflare Worker. The Worker compares this hash against millions of known weak password hashes.

Important: If your password matches any known weak password, your security score is automatically set to 0 points — regardless of length or complexity. Known weak passwords are trivial to crack, even if they appear strong.

Scoring Method

Your password receives a score from 0 to 100 points based on:

• Length ≥ 8 characters: +20 points
• Length ≥ 12 characters: +20 points (additional)
• Length ≥ 16 characters: +10 points (additional)
• Uppercase letters (A-Z): +10 points
• Lowercase letters (a-z): +10 points
• Numbers (0-9): +10 points
• Special characters (!@#$%...): +15 points
• No repeating patterns: +5 points

Maximum score: 100 points
85-100: Excellent Security | 70-84: Good Security | 50-69: Fair Security | 0-49: Poor Security

Privacy & Security

Strict No-Log Policy: Your cleartext password is never transmitted or stored. Only the cryptographic hash is sent to our server for immediate analysis.

The hash is not stored. No logs are kept. No personal data is collected. Only anonymized statistics (password length, complexity patterns) are stored for research purposes.

Technology

Built with Hugo (static site generator), Cloudflare Workers (serverless backend), and open-source technologies.

Made in Germany 🇩🇪 · Open Source · Privacy-First