PassSec

How PassSec Works

Security Architecture · Analysis Engine · Privacy Model

PassSec evaluates every password through four independent security layers: a regex-based analysis engine, a Shannon entropy calculator, a RockYou dictionary lookup, and a k-anonymity breach check via HaveIBeenPwned. No password is ever stored or transmitted in plaintext.

REGEX ENGINE ENTROPY MATH K-ANONYMITY ROCKYOU 14M NIST SP 800-63B

MODULE_01

Analysis Engine

Every password is evaluated against 10 regex-based criteria in under 1ms. Each criterion contributes to the final score (0–100) and triggers targeted improvement suggestions. Penalties are applied for detected patterns that significantly reduce real-world security.

Minimum Length

Passwords under 8 characters are rejected immediately. 12+ characters earns bonus points; 20+ achieves maximum length score.

len(password) >= 8 / 12 / 20

Uppercase Letters

At least one uppercase letter (A–Z) expands the alphabet size from 26 to 52+, roughly doubling brute-force time per character.

[A-Z]

Lowercase Letters

Lowercase letters (a–z) form the baseline character set. Required for any password to achieve a passing score.

[a-z]

Digits

Adding digits (0–9) expands the alphabet from 52 to 62 characters, adding ~0.09 bits of entropy per character.

[0-9]

Special Symbols

Symbols (!@#$%^&*...) bring the effective alphabet to 94+, adding the most entropy per character of any class.

[!@#$%^&*()\-_=+...]

No Repetitions

Consecutive repeated characters (aaa, 111) drastically reduce effective entropy. A penalty is applied for detected repetition patterns.

(.)\1{2,}

No Sequences

Sequential character runs (abc, 123, xyz) are trivially guessable. Detected via sliding-window delta analysis over character codes.

delta(ord(c[i]), ord(c[i+1])) == 1

Keyboard Patterns

Common keyboard walks (qwerty, asdf, zxcv) are matched against a predefined pattern list. These appear in the top 1000 most common passwords.

qwerty|asdf|zxcv|qazwsx|...

Character Diversity

Using all four character classes (lower + upper + digits + symbols) unlocks the maximum diversity bonus — the single highest-value criterion.

tipuri_caractere == 4

Not in RockYou / HIBP

Checked against 14M+ leaked passwords (RockYou) and the HaveIBeenPwned breach database via k-anonymity. A match forces score to 0 and level COMPROMISED.

password in PAROLE_COMUNE | HIBP API

MODULE_02

Shannon Entropy

Entropy measures how unpredictable a password is, expressed in bits. The higher the entropy, the longer a brute-force attack takes — even with a GPU running at 164 billion hashes per second (RTX 4090 speed). PassSec uses the theoretical maximum formula based on alphabet size and password length.

E = L × log₂(A)

E = entropy in bits
L = password length
A = effective alphabet size
log₂(A) = bits of randomness per character

>_ Interactive Entropy Calculator — type a password below

Alphabet Size (A)

—

Length (L)

—

Entropy (bits)

—

0 bits 28 — WEAK 50 — FAIR 80 — STRONG 128+ bits

a-z (26)

A-Z (+26)

0-9 (+10)

Symbols (+32)

MODULE_03

K-Anonymity & HIBP

PassSec checks every password against the HaveIBeenPwned breach database — which contains over 800 million leaked password hashes — without ever sending your actual password or its full hash to any server. This is possible thanks to the k-anonymity model.

Password Input

The user's password is received locally in PassSec's Flask backend. It never leaves your browser or server in plaintext.

password = "hunter2"

SHA-1 Hash

PassSec computes the SHA-1 hash of the password entirely in memory. SHA-1 is used here only because HIBP's database is indexed by SHA-1.

sha1("hunter2") = F3BBBD...E9A2AB7B4A57B6B6B8 (40 hex chars)

Prefix Extraction (5 chars)

Only the first 5 characters of the hash — the prefix — are extracted. This gives 1,048,576 possible prefixes, enough to anonymize any individual password.

prefix = "F3BBB" # only this leaves PassSec suffix = "D...8" # never sent anywhere

HIBP API Request

PassSec sends only the 5-character prefix to the HIBP API. HIBP returns a list of all ~500 hash suffixes that share this prefix, along with their breach counts.

GET https://api.pwnedpasswords.com/range/F3BBB Response (truncated): 0018A45C4D1DEF81644B54AB7F969B88D65:1 00D4F6E8FA6EECAD2A3AA415EEC418D38EC:2 ...

Local Comparison

PassSec compares the full hash suffix locally against the returned list — entirely in memory, with no further network calls. If a match is found, the breach count is returned.

suffix in response_suffixes? → YES: password compromised N times → NO: password not found in HIBP [OK]

MODULE_04

Security Layers

PassSec applies four independent security layers in every analysis. Each layer can independently flag a password as COMPROMISED, regardless of what the other layers report. All checks are performed server-side in a single POST request.

LAYER 01

Regex Analysis

Ten regex-based criteria evaluate the password's structural complexity. Results are weighted and summed into a score from 0 to 100. Penalties reduce the score for anti-patterns.

10 criteria evaluated

Score range: 0 – 100

Execution time: < 1ms

NIST SP 800-63B aligned

LAYER 02

Entropy Engine

Shannon entropy (E = L × log₂A) quantifies the password's theoretical resistance to brute-force attacks. PassSec translates entropy bits into estimated crack time using RTX 4090 benchmark speeds.

Formula: E = L × log₂(A)

Reference: RTX 4090 @ 164B hash/s

Levels: Weak / Fair / Good / Strong

Affects score & brute-force estimate

LAYER 03

RockYou Dictionary

The password is checked against a list of the most common passwords derived from the RockYou data breach — the industry standard dictionary for password auditing. A match forces COMPROMISED status.

14M+ leaked passwords

In-memory set lookup: O(1)

Match → score: 0, level: COMPROMISED

Loaded at server startup

LAYER 04

HIBP K-Anonymity

Real-time check against the HaveIBeenPwned breach database containing 800M+ hashed passwords. Only 5 SHA-1 prefix characters are transmitted — your password is never exposed externally.

800M+ breached hashes indexed

Transmits: 5-char SHA-1 prefix only

Comparison: local, never external

Match → score: 0, level: COMPROMISED