# Weak Password Detector

Check whether a password is one of the most common or breached passwords. Detects case and leetspeak variants, offline in your browser — nothing is uploaded.

## Run it

- **CLI:** `gizza tool weak-password-detector "P@ssw0rd"`
- **Web:** https://gizza.ai/tools/weak-password-detector/
- **Agents:** machine-readable descriptor (parameters JSON Schema) at https://gizza.ai/tools/weak-password-detector/tool.json

## Inputs

- `input` — Password to check _(field)_
- `case_sensitive` — Case-sensitive match (require exact case) _(field)_
- `normalize_leet` — Detect leetspeak variants (P@ssw0rd → password) _(field)_

## Output

- Result (text)

## Query parameters

Open the tool pre-filled and auto-run via URL:

- `input` — Password to check
- `case_sensitive` — Case-sensitive match (require exact case)
- `normalize_leet` — Detect leetspeak variants (P@ssw0rd → password)

Example: `https://gizza.ai/tools/weak-password-detector/?input=P%40ssw0rd&case_sensitive=true&normalize_leet=true`

---

## About this tool

The weak password detector checks a password against a **bundled, ranked list of
the most common and previously-breached passwords** — the ones that top public
breach compilations and that attackers try first in credential-stuffing and
brute-force attacks. Everything runs locally in your browser: the password is
never uploaded, logged, or sent to any server.

It goes beyond a plain string match. By default it also catches:

- **Case-only variations** — `PASSWORD`, `Password`, and `password` are all
  flagged, because attackers ignore case.
- **Leetspeak variants** — `P@ssw0rd`, `l3tm31n`, and similar digit/symbol
  substitutions collapse back to their base word (`0`→`o`, `@`→`a`, `1`→`i`,
  `3`→`e`, `4`→`a`, `5`→`s`, `7`→`t`, …), so dressing up a common password
  doesn't hide it.

Each match reports its **rank** (1 = most common), the list entry it matched,
how it matched, and a severity band (critical / high / common), so you can see
*why* the password is weak.

### Worked example

Enter `P@ssw0rd` with the defaults (case-insensitive, leetspeak on). The tool
collapses `@`→`a` and `0`→`o`, matches the bundled entry **“password”**, and
reports it as a leetspeak variant of one of the most common passwords ever
leaked — offering no real protection. Enter `123456` and it's flagged as the
**#1** most common password. Enter a long random passphrase like
`cor6rect$horse!Battery9Staple` and it comes back *not on the list*.

### Limits & edge cases

- This is a **bundled blocklist / dictionary check, not a live breach-database
  (Have I Been Pwned) lookup**. It does not call any API and does not know about
  every leaked password — only the well-known common ones shipped with the tool.
- A **“not found” result is not proof of strength.** It only rules out the
  best-known weak passwords. A short-but-uncommon password can still be weak by
  entropy; pair this with a strength/entropy check.
- An **empty input is rejected** — there's nothing to check.
- Matching is offline and deterministic: the same input always gives the same
  result.

## FAQ

<details>
<summary>Does this check my password against real breach databases like Have I Been Pwned?</summary>

No. This tool matches against a **fixed, bundled list** of the most common and
widely-published breached passwords, entirely offline — it never contacts any
API. That means it's private (nothing leaves your browser) but not exhaustive:
a password that isn't on the bundled list could still appear in a full breach
corpus. Treat a clean result as "not one of the obvious weak passwords", not as
"never breached".

</details>

<details>
<summary>Is my password sent anywhere?</summary>

No. The check runs locally in your browser via WebAssembly. Your password is
never uploaded, logged, or transmitted. You can confirm this by opening your
browser's network tab — there are no requests while you type.

</details>

<details>
<summary>What do "case-sensitive" and "leetspeak" do?</summary>

By default the tool is **case-insensitive**, so `PASSWORD` and `password` are
treated as the same weak password (attackers don't care about case). Turn on
**case-sensitive match** to require an exact-case hit. **Leetspeak detection**
(on by default) collapses common substitutions — `P@ssw0rd` becomes `password`
— so decorating a common password with symbols doesn't fool the check. Turn it
off to match only literal characters.

</details>

<details>
<summary>If my password isn't found, is it strong?</summary>

Not necessarily. "Not found" only means it isn't one of the well-known common
passwords in the bundled list. A short or predictable password (like a name plus
a year) can still be easy to guess even if it's not on any top-worst list. For
real strength, use a long, random, unique passphrase — ideally from a password
manager — and pair this blocklist check with an entropy/strength estimate.

</details>

## Related tools

- [Password Strength Checker](https://gizza.ai/tools/password-entropy/): Estimate a password's entropy in bits and crack time, and flag weaknesses — entirely in your browser. Your password is never sent anywhere, free.
- [AES cipher](https://gizza.ai/tools/aes-cipher/): Encrypt or decrypt text with AES in CBC, CTR, GCM or ECB mode and 128/192/256-bit keys, with hex/base64 I/O — in your browser. Nothing is uploaded.
- [AES Key Wrap](https://gizza.ai/tools/aes-key-wrap/): Wrap and unwrap cryptographic keys with AES Key Wrap (KW / RFC 3394, KWP / RFC 5649) using a 128/192/256-bit KEK — hex or base64, free and in-browser.
- [Argon2 hash](https://gizza.ai/tools/argon2-hash/): Hash a password with Argon2id (configurable memory, iterations, parallelism) and get a PHC string, or verify a password — in your browser. Nothing is uploaded.
- [ASN.1 / DER parser](https://gizza.ai/tools/asn1-parser/): Parse an ASN.1 / DER hex string into a readable tree of tags, lengths, OIDs and values — free, in your browser. Inspect X.509 certificates, keys and CSRs.
