Weak Password Detector

Check a password against a bundled, ranked list of the most common and breached passwords. Catches case-only and leetspeak variants like P@ssw0rd. Runs entirely in your browser — nothing is uploaded.

Try:
Result

About this tool

The weak password detector checks a password against a bundled, ranked list of the most common and previously-breached passwords — the ones that top public breach compilations and that attackers try first in credential-stuffing and brute-force attacks. Everything runs locally in your browser: the password is never uploaded, logged, or sent to any server.

It goes beyond a plain string match. By default it also catches:

Each match reports its rank (1 = most common), the list entry it matched, how it matched, and a severity band (critical / high / common), so you can see why the password is weak.

Worked example

Enter P@ssw0rd with the defaults (case-insensitive, leetspeak on). The tool collapses @a and 0o, matches the bundled entry “password”, and reports it as a leetspeak variant of one of the most common passwords ever leaked — offering no real protection. Enter 123456 and it's flagged as the #1 most common password. Enter a long random passphrase like cor6rect$horse!Battery9Staple and it comes back not on the list.

Limits & edge cases

FAQ

Does this check my password against real breach databases like Have I Been Pwned?

No. This tool matches against a fixed, bundled list of the most common and widely-published breached passwords, entirely offline — it never contacts any API. That means it's private (nothing leaves your browser) but not exhaustive: a password that isn't on the bundled list could still appear in a full breach corpus. Treat a clean result as "not one of the obvious weak passwords", not as "never breached".

Is my password sent anywhere?

No. The check runs locally in your browser via WebAssembly. Your password is never uploaded, logged, or transmitted. You can confirm this by opening your browser's network tab — there are no requests while you type.

What do "case-sensitive" and "leetspeak" do?

By default the tool is case-insensitive, so PASSWORD and password are treated as the same weak password (attackers don't care about case). Turn on case-sensitive match to require an exact-case hit. Leetspeak detection (on by default) collapses common substitutions — P@ssw0rd becomes password — so decorating a common password with symbols doesn't fool the check. Turn it off to match only literal characters.

If my password isn't found, is it strong?

Not necessarily. "Not found" only means it isn't one of the well-known common passwords in the bundled list. A short or predictable password (like a name plus a year) can still be easy to guess even if it's not on any top-worst list. For real strength, use a long, random, unique passphrase — ideally from a password manager — and pair this blocklist check with an entropy/strength estimate.

Developer & Automation Access

Run it from the terminal

Same engine as this page, headless — via the gizza CLI:

gizza tool weak-password-detector "P@ssw0rd"

New to the CLI? Get gizza →

Open it by URL

Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:

https://gizza.ai/tools/weak-password-detector/?input=P%40ssw0rd&case_sensitive=true&normalize_leet=true

Machine-readable descriptor: tool.json — title + parameters JSON Schema for agents.