Strength is rated on five levels — Very weak, Weak, Fair, Strong, Very strong.
As you type, the checker runs two things automatically: it estimates password strength, and it looks up your password against HaveIBeenPwned — a public database of billions of passwords exposed in real data breaches. Both results are shown together: if your password appears in any breach, it is rated as very weak regardless of its complexity.
Your privacy is protected throughout. Strength analysis runs entirely in your browser — your password is never transmitted and never stored on any server. For the breach lookup, only the first 5 characters of a SHA-1 hash of your password are sent to HaveIBeenPwned. The server returns roughly a thousand matching hash fragments; your browser identifies the result locally. The service never sees your actual password or the full hash — this technique is called k-anonymity and is the industry standard for private breach lookups.
The checker measures how hard your password is to guess, not just how many character types it contains. Attackers know every common trick: replacing a with @, e with 3, o with 0, adding ! or 123 at the end, capitalizing the first letter. These substitutions are all built into modern cracking tools and add almost no real protection.
A password like P@ssw0rd! ticks every box — uppercase, lowercase, digit, symbol — yet it falls in seconds because it follows a pattern millions of people use. A shorter but truly random string beats it every time. The checker rewards unpredictability, not the appearance of complexity.
It means the exact password appeared in a known data breach compiled by HaveIBeenPwned. Even a single appearance means attackers have it in their dictionaries — stop using it immediately and change it everywhere you have used it.