About HowWeak

Free, open-source password security checker to help you evaluate the strength of your passwords.

How It Works

When you enter a password, the security analysis happens entirely in your browser. Your password never leaves your device. The analysis checks multiple security criteria based on current standards (NIST, BSI).

Additionally, a SHA-256 hash of your password is generated in your browser and sent to our Cloudflare Worker. The Worker compares this hash against millions of known weak password hashes.

Important: If your password matches any known weak password, your security score is automatically set to 0 points — regardless of length or complexity. Known weak passwords are trivial to crack, even if they appear strong.

Scoring Method

Your password receives a score from 0 to 100 points based on:

  • Length (max 30 points): +10 points each for ≥8, ≥12, ≥16 characters
  • Entropy (max 40 points - highly weighted!): +10 points each for ≥28, ≥40, ≥50, ≥60 bits
  • Character variety (max 25 points):
    • Uppercase letters (A-Z): +6 points
    • Lowercase letters (a-z): +6 points
    • Numbers (0-9): +6 points
    • Special characters (!@#$%...): +7 points
  • Pattern avoidance (max 5 points): No repeating chars +3, no sequential numbers +2

What is Entropy?
Entropy measures the randomness and unpredictability of your password. Higher entropy = harder to crack. It's calculated as: bits = length × log₂(character set size). A strong password should have at least 60 bits of entropy.

Maximum score: 100 points
85-100: Excellent Security | 70-84: Good Security | 50-69: Fair Security | 0-49: Poor Security

Privacy & Security

Strict No-Log Policy: Your cleartext password is never transmitted or stored. Only the cryptographic hash is sent to our server for immediate analysis.

Offline Mode: You can enable "Offline Mode" on the main page. When activated, the password hash never leaves your device. Analysis happens entirely in your browser, but the breach database check is skipped. Anonymous statistics are still collected for research.

The hash is not stored. No logs are kept. No personal data is collected. Only anonymized statistics (password length, entropy, complexity patterns) are stored for research purposes.

Technology

Built with Hugo (static site generator), Cloudflare Workers (serverless backend), and open-source technologies.

Made in Germany 🇩🇪 · Open Source · Privacy-First