PASSCRACK is a single-file, client-side password strength checker. It has no server, no database, and no network calls — but it's a tool that handles passwords, so it's held to a higher bar than a typical static page. This document explains what's in scope, how data is (not) handled, and how to report a problem.
- The password you type never leaves your browser. There is no
fetch, noXMLHttpRequest, no analytics beacon, no image pixel, no WebSocket — nothing that transmits what you type anywhere. All analysis (entropy calculation, common-password check, crack-time estimate) runs locally in JavaScript. - Nothing is persisted. The page does not use
localStorage,sessionStorage, cookies, or IndexedDB. Refresh the page and everything is gone. - No third parties see your input. The only external requests the page makes are for two Google Fonts (
VT323,JetBrains Mono) at page load, before you've typed anything. They receive no password data. - The common-password list is small and local. It's a hardcoded list of well-known leaked passwords bundled in the file itself — not a live lookup against a breach database, so no hashes or partial hashes of your input are ever sent out for checking.
If you're auditing the code and want to verify this yourself, search the HTML file for fetch, XMLHttpRequest, .send(, localStorage, and document.cookie. None should reference the password input.
PASSCRACK is a single HTML file distributed as-is; there isn't a version matrix to maintain. Security fixes are applied to the latest version of password_strength_hacker.html in the main branch. If you've downloaded a copy, pull the latest file to get fixes.
If you find a security issue — for example:
- A way for typed input to be exfiltrated, logged, or persisted anywhere (network, storage, browser history, etc.)
- A cross-site scripting (XSS) vector through the password field or any other input
- A dependency (font CDN, etc.) that could be used to inject malicious code
- Any other way this page could behave differently from what's described above
please report it privately rather than opening a public issue, so users aren't exposed while a fix is prepared:
- Open a GitHub Security Advisory ("Report a vulnerability" under the Security tab of the repo), or
- If that's unavailable, email the maintainer directly (see repo profile) with a description and, if possible, steps to reproduce.
Please don't include real passwords you use elsewhere in any report — a description of the pattern (e.g. "8 characters, all digits") is enough to reproduce most issues.
- Acknowledgement within a few days.
- A fix or mitigation plan communicated back to you before public disclosure.
- Credit in the changelog/release notes if you'd like it, or anonymity if you'd rather not be named.
- The accuracy of the strength/crack-time estimates themselves isn't a security vulnerability — it's a product-quality issue. Open a normal GitHub issue for those (e.g. "entropy calculation undercounts X pattern").
- Reports about the Google Fonts CDN's own security posture (that's Google's infrastructure, not this project's).
- Anything requiring physical or malware access to the user's own device — this tool assumes the browser and OS it runs in are trustworthy.
This tool estimates strength and illustrative crack times for educational purposes — it is not a substitute for a real breach-corpus check (like a k-anonymity lookup against Have I Been Pwned) before relying on a password for something important. Don't use crack-time numbers from this page as a guarantee of safety for high-stakes accounts.