Security · API
Password Strength API.
A drop-in API that returns entropy, breach status and crack-time estimates without ever seeing the raw password.
Challenge
Most password checks either leak the password to a server or give a meaningless strength bar. The goal was a real check that respects the secret.
Approach
A FastAPI microservice with entropy scoring, pattern detection and Have I Been Pwned k-anonymity SHA-1 breach checks, so the server never receives the actual password.
Outcome
Returns entropy, breach status and crack-time estimates in under 100 milliseconds, ready to drop into any authentication flow.
Key decisions
- HIBP k-anonymity model: only a SHA-1 prefix leaves the client, so the password is never exposed.
- Entropy scoring plus pattern detection for a meaningful strength signal.
- Sub-100ms responses, documented FastAPI endpoints, containerised.