Pwned Passwords

This is a little javascript we created to allow users to check if their password was on any of the lists available on the Dark Web, ie that have been gleaned from cracks of web servers.

It uses the API available at There is a sample web page (from the Daily Data client site).

Since it is javascript and was set up with security in mind, we were able to design it such that the password never leaves the users web browser. We simply send the first five characters of the sha1 digest of the password, and returns enough information to determine if the password is in the list.

In 2020, I added a simple password strength tester from that calculates the strength of the password. It is very old code, but helps a little. Again, everything is done using javascript in the local browser, so your password is never transmitted.

This is open source under the BSD license which allows you to do whatever you want, so long as you give attribution to

You can download the file at

You can see it in action by going to