This Python script calculates the entropy of a password and checks if it has been exposed in a data breach using the Have I Been Pwned (HIBP) API.
- Entropy Calculation — Estimates password strength using character variety
- Strength Rating — Categorizes passwords from Very Weak to Very Strong
- Breach Detection — Checks if the password has been exposed in real-world leaks
- Safe Lookup — Uses k-anonymity; password is never fully sent to any server
The entropy (E) is calculated using the formula:
E = log₂(R^L) = L × log₂(R)
Where:
- E = entropy in bits
- R = number of possible characters (charset size)
- L = length of the password
| Character Type | Contribution to R |
|---|---|
Lowercase a–z |
26 |
Uppercase A–Z |
26 |
Digits 0–9 |
10 |
| Special characters | 30 |
| Entropy (bits) | Strength |
|---|---|
| < 28 | Very Weak |
| 28 – 35 | Weak |
| 36 – 59 | Moderate |
| 60 – 79 | Good |
| 80 – 127 | Strong |
| 128+ | Very Strong |
This script uses the Have I Been Pwned "Pwned Passwords" API.
- Password is hashed with SHA-1
- The first 5 characters of the hash are sent to the API
- The API returns a list of hashes that match that prefix
- The suffix is locally checked to determine if the password is compromised
(This preserves privacy using k-anonymity.)
- Python 3.x
requestsmodulepip install requests
python3 password_check.py
Enter password to calculate entropy: Hunter2!
Entropy: 55.5 bits
Password Strength: Moderate
Your password is safe.
(Disclaimer: This tool is for educational and informational use only. Do not use it to test real passwords unless you trust your environment.)
Authors: Developed by Ria Singh, Lavanya Joshi, Anika Atluri