Password Strength Checker — Breach Database Audit
Test password strength and check against breached databases
Your password never leaves your browser. Breach checks use k-Anonymity (only a partial hash is sent).
Frequently Asked Questions
Does CyberArsenal store my password?
No. Your password never leaves your browser. We use the k-anonymity model — only the first 5 characters of the SHA-1 hash are sent to check against the HaveIBeenPwned database.
What does 'found in X breaches' mean?
It means that exact password has appeared in X known data breaches. You should change it immediately on any account where you use it.
How does the password strength check work?
It evaluates length, character variety (uppercase, lowercase, numbers, symbols), common patterns, and whether the password appears in known breach databases.
Is the HaveIBeenPwned check safe?
Yes. The k-anonymity protocol means your full password hash is never transmitted. Only a 5-character prefix is sent, and matching is done locally in your browser.
For authorized, legal, and ethical security testing only. Scans are rate-limited to 3 per day on the free tier.