Run a Check
Formula Used
- Length scoring rewards 12–16+ characters.
- Character variety adds points (upper/lower/digits/symbols).
- Pattern penalties reduce score (repeats, sequences, common words).
- Reuse count reduces up to 30 points.
- Old passwords reduce up to 8 points.
- No MFA reduces 8 points; no manager reduces 4 points.
If online checking is enabled and a match is found, a log-scaled penalty is applied based on how many times it appeared in leak corpuses.
How to Use This Calculator
- Enter a password you want to assess (avoid production secrets on shared devices).
- Set reuse count and days since last change for a realistic hygiene score.
- Enable online leak checking for breach-awareness without exposing the password.
- Submit to view the score and recommended actions above the form.
- Download CSV or PDF to attach to audits or security reviews.
Example Data Table
| Label | Password length | Reuse count | MFA | Online check | Leak status | Expected risk |
|---|---|---|---|---|---|---|
| Finance email | 18 | 1 | Enabled | Enabled | No match found | Low |
| Work portal | 10 | 3 | Not enabled | Enabled | Match found (example) | Critical |
| Forum account | 12 | 2 | Enabled | Disabled | Not checked online | High |
Security Guidance Article
Exposure checks without sharing secrets
This calculator uses a hash-prefix lookup option to verify whether a password appears in breach corpuses without transmitting the password itself. Only the first five characters of a SHA-1 hash are queried, and the full comparison happens locally. That design reduces privacy risk while still detecting common, reused, or previously exposed passwords. In security awareness programs, this supports testing and reinforces why unique credentials matter across critical accounts.
Understanding match count and business impact
When a match is found, the reported frequency indicates how widely the password has appeared in dumps. A higher count often correlates with automated credential-stuffing success, because attackers prioritize popular leaked strings. Even a low count can be harmful if the credential is reused on critical services. Combine the leak result with reuse count, MFA status, and account sensitivity to decide whether to reset, enforce step-up authentication, or trigger incident review.
Scoring model for policy alignment
The score blends three measurable components: password strength, hygiene, and leak exposure. Strength rewards length and character variety while penalizing patterns, sequences, and common words. Hygiene reflects real-world behavior, including reuse across sites, age since rotation, and adoption of MFA and a password manager. Leak exposure applies a log-scaled penalty so that widely leaked passwords move into high-risk territory, aligning results with typical policy thresholds.
Reducing risk with operational controls
Use outcomes to drive action, not blame. For high or critical results, reset credentials, revoke active sessions, and review recovery channels. Enforce MFA on email first, because it can reset other accounts. Implement manager-based generation, disallow known-breached passwords in directory policies, and add rate-limiting for login endpoints. For shared teams, document rotation windows and train users to recognize credential-stuffing alerts and suspicious sign-in notifications.
Reporting and continuous improvement
Exports support audits and remediation tracking. Store only the score and hygiene fields in tickets, not the password, and link remediation steps to a change record. Trend scores by business unit to identify training gaps and systems lacking MFA. Repeat checks during onboarding, privilege changes, and after breach news. Over time, raise minimum length targets, expand MFA coverage, and reduce reuse count through manager adoption and SSO.
FAQs
1) Does the online check send my password to any service?
No. The password is hashed locally and only a short hash prefix is queried. The full match is checked on your device, so the password itself is never transmitted.
2) What does “Match found” mean in practical terms?
It means the password appears in known breach datasets. Attackers routinely try such passwords at scale, so you should change it immediately and avoid reusing it anywhere.
3) Why can a strong password still score poorly?
Leak exposure and hygiene reduce the score. A long password that is reused, old, or linked to a leak can still be high-risk in real environments.
4) Should I rotate passwords on a fixed schedule?
Prioritize rotation when exposure is suspected, privileges change, or policy requires it. Frequent forced changes can backfire unless paired with MFA, manager usage, and breach monitoring.
5) What score is acceptable for privileged accounts?
Aim for Low risk with a score above 80, plus MFA. Admin, email, and finance accounts should use unique 16+ character passwords created by a manager.
6) What should I store in tickets or audit notes?
Store the score, risk level, leak status, and remediation steps. Do not store the password. Use the CSV or PDF export as a sanitized summary.