Building a Zero-Knowledge Password Strength Checker
I built a password tool that never sees your password. Here is how client-side entropy calculation, k-anonymity breach checks, and zero backend architecture work together.
Most password strength checkers work the same way. You type your password into a text field on someone else's server, they process it, and you trust that they did not log it. That has always felt backwards to me. A security tool should not ask you to compromise your security to use it.
That is why I built Password Security FluxWillow — a password strength checker and generator that runs entirely in your browser. No backend. No database. Your password never leaves your RAM.
The problem with most password tools
When you type a password into a typical online checker, you are trusting that the server does not store it, does not log it, and does not have a vulnerability that exposes it. That is a lot of trust for a tool you found through a search engine five seconds ago.
Even well-intentioned tools can leak data through server logs, analytics payloads, or misconfigured endpoints. The safest password check is one where the password never hits a wire in the first place.
How it works: zero-knowledge by design
The entire application is static HTML, CSS, and JavaScript. When you type or generate a password, the strength calculation happens locally using the browser's window.crypto API. The entropy score, crack time estimate, and character analysis all run in your browser's memory. Nothing is sent anywhere.
For breach checking, the tool uses the Have I Been Pwned API with a k-anonymity protocol. Your browser hashes the password with SHA-1 locally, then sends only the first 5 characters of that hash to the API. The API returns a list of matching hash prefixes, and your browser checks the full hash against that list on your machine. Neither FluxWillow nor the HIBP API ever sees the actual password. This is the same method recommended by security researchers worldwide.
Entropy as the real metric
Most tools give you a vague "strong" or "weak" label. That is not very useful. What matters is entropy — the mathematical measure of how much randomness your password contains. The formula is straightforward: multiply the password length by the log-base-2 of the character pool size. A 16-character password using lowercase, uppercase, numbers, and symbols lands above 100 bits of entropy, which is well beyond what current hardware can brute-force in any reasonable timeframe.
The tool shows your exact entropy score and estimates crack time against modern GPU clusters capable of a trillion guesses per second. If you want to understand the math in more detail, I wrote a dedicated entropy guide that breaks down the formula, the NIST thresholds, and why 80 bits is considered the current gold standard.
The generator
The built-in generator creates passwords with configurable length and character sets — lowercase, uppercase, numbers, and symbols. Default is 16 characters with all sets enabled, which produces excellent entropy out of the box. You can copy the result with one click. It is not fancy, but it does the job without phoning home.
Technical decisions I made
No frameworks. No build step. No server-side code at all. The entire tool is a static site that can be served from any CDN or basic hosting. I chose this deliberately because every additional dependency is a potential attack surface. A password tool with a Node backend and 200 npm packages is a contradiction.
The crack time estimates benchmark against one trillion guesses per second, which represents a high-end consumer GPU rig. State-level actors with larger clusters could be faster, so the numbers should be read as relative strength indicators, not absolute guarantees. The tool is transparent about this in its terms.
Who this is for
Anyone who wants to check or generate a password without trusting a third party. Developers who want to audit credentials during onboarding flows. Security-conscious users who read the fine print and care about where their keystrokes end up. People who have been burned by breaches and want to verify their passwords against known leaks without creating yet another account somewhere.
Try the tool here. It is free, it is open to inspection, and it does not know who you are.