LeakHunter

LeakHunter is an advanced open-source tool for analyzing password security and exposure risks, designed for both enterprise and educational use. It features a modern web interface and a modular Java backend for in-depth password pattern analysis, risk scoring, and actionable recommendations.

---

🚀 Features

• Risk Scoring: Calculates a risk score for each password based on entropy, dictionary patterns, keyboard sequences, date/year patterns, corporate patterns, leet speak, and more.
• Pattern Detection: Identifies vulnerabilities such as dictionary words, keyboard walks, dates, company names, leet substitutions, repeated characters, and inclusion of usernames.
• Entropy & Crack Time: Estimates Shannon entropy and time to crack using various attack scenarios (offline GPU, online, bcrypt, NTLM, etc.).
• Batch Analysis: Analyze entire lists of passwords (e.g., by department) and export results as CSV or text reports.
• Recommendations: Provides actionable, context-aware suggestions to improve password security.
• Modern Web UI: Responsive, user-friendly interface for both single and batch analysis, with real-time feedback and visualizations.
• Java Modular Engine: Easily integrable as a CLI tool, servlet, or library for internal audits and automation.

---

📁 Project Structure

• LeakHunter.html — Main web application (HTML, CSS, JS, fully client-side, no backend required)
• PasswordAnalysisEngine.java — Core Java analysis engine
• PasswordPatternChecker.java — Interface for modular pattern checkers
• CommonPasswordChecker.java — Checks for common/dictionary passwords
• KeyboardPatternChecker.java — Detects keyboard sequences (e.g., qwerty, asdf)
• DatePatternChecker.java — Detects date/year patterns
• CorporatePatternChecker.java — Detects company-specific patterns
• LeetSpeakChecker.java — Detects leet speak substitutions
• Finding.java — Data structure for analysis findings
• AnalysisConfig.java — Utility for loading configuration data
• oracleJdk-26/ — (Bundled JDK, if present)

---

🖥️ How to Use LeakHunter

Web Application (No Installation Required)

1. Download or clone the repository to your local machine.
2. Open LeakHunter.html in any modern browser (Chrome, Firefox, Edge, Safari). No server or installation is needed.
3. Single Analysis:
   • Enter a password in the input field.
   • Optionally, add user/department and company info for context-aware checks.
   • Select or deselect analysis modules (dictionary, keyboard, date, corporate, leet).
   • Click ANALYZE PASSWORD to view the risk score, detected patterns, vulnerabilities, and recommendations.
4. Batch Analysis:
   • Paste a list of passwords (one per line) in the batch section.
   • Select the department and run the batch analysis.
   • Results include risk scores, vulnerabilities, and export options.
5. Exporting Results:
   • Download results as CSV or TXT reports for further review or compliance.

Screenshots

Add screenshots or GIFs here to illustrate the UI and workflow.

Java Engine (Integration & CLI)

1. Compile the Java sources (JDK 8+ required):

   javac *.java

2. Run the demo CLI (optional):

   java PasswordAnalysisEngine

   This will analyze sample passwords and print reports to the console.
3. Integrate in your Java project:
   • Import the relevant classes (PasswordAnalysisEngine, PasswordPatternChecker, etc.).
   • Use the API to analyze passwords and retrieve findings, risk scores, and recommendations.

Example (Java)

PasswordAnalysisEngine engine = new PasswordAnalysisEngine();
PasswordAnalysisEngine.AnalysisOptions opts = PasswordAnalysisEngine.AnalysisOptions.defaults().withCompany("Acme Corp, 2010, tech");
PasswordAnalysisEngine.AnalysisResult result = engine.analyze("Password123!", "j.doe", "Finance", opts);
System.out.println(result.toReport());

---

🛠️ Troubleshooting & FAQ

Q: The web app doesn't load or analyze passwords.

• Make sure you are opening LeakHunter.html with a modern browser.
• If you see CORS or file access errors, try using "Open with" and select your browser directly.

Q: Can I use LeakHunter on mobile?

• The UI is responsive, but best experience is on desktop.

Q: Are my passwords sent anywhere?

• No. All analysis is performed locally in your browser or Java process. Nothing is sent or stored externally.

Q: How do I add new pattern checkers?

• Implement the PasswordPatternChecker interface in Java and register your checker in the engine.

Q: Can I use this for compliance or audits?

• Yes, LeakHunter is suitable for internal audits, awareness training, and compliance reporting.

---

🌐 Useful Links

• Official OWASP Passwords Cheat Sheet
• NIST SP 800-63B Guidelines
• Have I Been Pwned?

---

💡 Example Usage

Web

No installation required. Just open the HTML file in your browser.

Java

PasswordAnalysisEngine engine = new PasswordAnalysisEngine();
List<Finding> findings = engine.analyze("Password123!", "j.doe", "Acme Corp");
for (Finding f : findings) {
    System.out.println(f);
}

---

⚙️ Requirements

• Web: Any modern browser (Chrome, Firefox, Edge, Safari)
• Java: JDK 8+ (JDK 26 included for reference)

---

🔒 Security & Privacy

• All analysis is performed locally in the browser or Java process.
• No passwords are sent or stored anywhere.

---

📄 License

MIT License. See LICENSE file if present.

---

👤 Authors

• Developed by Eliad and contributors.

---

For questions, suggestions, or contributions, open an issue or pull request.