Password Entropy Analyser & Breach Detection Tool
Real-time breach detection · Entropy scoring · Password strength assessment
A security tool that analyses password strength using information-theoretic entropy calculation and checks passwords against the HaveIBeenPwned breach database in real time — without ever sending the full password over the network.
Built to demonstrate practical application of cryptographic hashing (SHA-1 k-anonymity model) and entropy-based security scoring.
| Metric | Result |
|---|---|
| Passwords tested | 1,000+ |
| Weak/compromised detection accuracy | 98% |
| Breach check method | SHA-1 k-anonymity (password never sent in full) |
| Entropy model | Shannon entropy + character set analysis |
- Entropy scoring — calculates bits of entropy based on password length and character set diversity
- Real-time breach detection — checks against HaveIBeenPwned's database of billions of compromised passwords
- K-anonymity privacy model — only the first 5 characters of the SHA-1 hash are sent to the API; your password is never exposed
- Strength classification — Very Weak / Weak / Moderate / Strong / Very Strong
- Actionable feedback — tells the user exactly what's wrong and how to improve
1. SHA-1 hash the password locally
e.g. "password123" → 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
2. Send only the first 5 characters to HaveIBeenPwned API
→ "5BAA6"
3. API returns all hashes starting with "5BAA6"
(hundreds of results, no way to identify your specific password)
4. Check if your full hash is in the returned list locally
5. Report: "This password has been seen 3,861,493 times in data breaches"
Your actual password never leaves your machine.
Shannon entropy is calculated as:
H = L × log₂(R)
Where:
H = entropy in bits
L = password length
R = size of character set used
· lowercase only: 26
· + uppercase: 52
· + numbers: 62
· + special chars: 95
| Entropy | Strength | Example |
|---|---|---|
| < 28 bits | Very Weak | abc |
| 28–35 bits | Weak | password1 |
| 36–59 bits | Moderate | BlueSky42 |
| 60–127 bits | Strong | Tr0ub4dor&3 |
| 128+ bits | Very Strong | Long random passphrase |
# Clone the repo
git clone https://github.com/ANIMAALS/KeyForge.git
cd KeyForge
# Install dependencies
pip install -r requirements.txt
# Run
python passforge.pyExample output:
Password: ************
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Entropy: 42.3 bits
Strength: Moderate
Character set: Uppercase + Lowercase + Numbers
Length: 9 characters
Breach Check: ⚠ COMPROMISED
Times seen: 23,482 times in known data breaches
Recommendations:
· Add special characters (!@#$%^&*)
· Increase length to 12+ characters
· Do not use this password anywhere
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
KeyForge/
├── passforge.py # Main application
├── entropy.py # Entropy calculation module
├── breach_check.py # HaveIBeenPwned API integration
├── classifier.py # Strength classification logic
├── requirements.txt # Dependencies (requests, hashlib)
└── README.md
| Component | Technology |
|---|---|
| Language | Python 3.10+ |
| Breach API | HaveIBeenPwned v3 (k-anonymity model) |
| Hashing | SHA-1 via Python hashlib |
| Entropy | Shannon entropy formula |
| HTTP | requests library |
Password reuse and weak passwords remain the #1 cause of account compromise. This tool gives users and security teams a fast, privacy-safe way to audit passwords without exposing them to third-party services — the same k-anonymity model used by Firefox Monitor, 1Password, and others.
Anirudh N.S. — Cybersecurity Student, Dayananda Sagar University, Bengaluru
Part of a cybersecurity project portfolio alongside WatchDog 2.4 and Phishing Detection.