Privacy & Security Architecture - MyPasswordChecker.com

🔒 Security Model Overview

MyPasswordChecker.com employs a multi-layered security architecture designed around one principle: your password is your secret, not ours.

Three Layers of Protection

Layer 1: Client-Side Analysis

Layer 2: Privacy-Preserving Breach Check

Layer 3: API-Side Bloom Filter (Paid Tiers)

What makes us different? Unlike many password checkers that send your password to their servers, we perform all strength analysis in your browser's JavaScript engine. Only anonymized, hashed fragments are ever transmitted.

⚡ Layer 1: Client-Side Processing

What Happens in Your Browser

All password strength analysis occurs 100% in your browser:

Entropy Calculation - Mathematical measure of password randomness
Pattern Detection - Identifies common patterns (keyboard walks, repeated characters)
Dictionary Matching - Checks against 10,000 most common passwords (loaded locally)
Crack Time Estimation - Calculates time to crack using modern GPUs
Quantum Resistance Scoring - Theoretical future-proofing analysis

Your Browser (JavaScript)
│
├─ Password Input
│  └─ Stored in memory only (never persisted)
│
├─ Strength Analysis Engine
│  ├─ Shannon Entropy Calculation
│  ├─ Zxcvbn Pattern Matching
│  ├─ Common Password Check (10K list, 71KB local file)
│  └─ Quantum Resistance Scoring
│
└─ Results Display
   └─ Never sent to any server

Tech Detail: We use the industry-standard zxcvbn library (developed by Dropbox) for pattern matching. The 10,000 most common passwords list (~71KB) is downloaded once and cached in your browser.

Privacy Guarantees

No cookies or tracking for free password checker
No analytics on password input
Password never written to disk or browser storage
No server-side logging of password data
Open source JavaScript - you can audit our code

🕵️ Layer 2: Privacy-Preserving Breach Check (k-Anonymity)

When checking if your password appears in data breaches, we use the k-anonymity model developed by Have I Been Pwned (HIBP). This ensures your password remains private even during the breach check.

How k-Anonymity Works

Step 1: Hash Your Password (SHA-1)
   Password: "MyP@ssw0rd"
   SHA-1 Hash: "21BD1...9A3F" (40 characters)

Step 2: Extract First 5 Characters (Prefix)
   Prefix: "21BD1"
   ↓
   Send to HIBP API

Step 3: HIBP Returns ALL Hashes Starting with "21BD1"
   21BD1...0001: 1234 breaches
   21BD1...0002: 567 breaches
   21BD1...9A3F: 42 breaches  ← Your hash
   21BD1...FFFF: 89 breaches
   (Typically ~500 hash suffixes per prefix)

Step 4: Your Browser Searches Locally
   Finds "21BD1...9A3F" in the list
   Reports: "Found in 42 data breaches"

Why is this secure? We only send the first 5 characters of your password's hash. Since there are 16^5 = 1,048,576 possible prefixes, and each prefix matches ~500 passwords, the server has no way to know which of those 500 passwords is yours. This is called "k-anonymity" where k ≈ 500.

Privacy Mathematics

Metric	Value	Privacy Impact
Prefix Length	5 characters	1 in 1,048,576 possible prefixes
Average Matches per Prefix	~500 passwords	Server cannot distinguish which one is yours
Anonymity Set Size (k)	~500	HIGH PRIVACY
Data Transmitted	5 chars (2.5 bytes)	99.9875% of hash kept private

Breach Database Coverage

800+ million passwords from verified data breaches
Sourced from Have I Been Pwned (HIBP) - trusted by Microsoft, 1Password, etc.
Updated regularly as new breaches are discovered
Includes passwords from major breaches (LinkedIn, Adobe, Yahoo, etc.)

🚀 Layer 3: API-Side Bloom Filter (Premium Feature)

For our paid API customers, we offer an even more privacy-preserving option: server-side Bloom Filter checking with zero external API calls.

Available in Pro, Quantum, and Enterprise tiers

Coming Soon: Q1 2026

How It Works

We host a 500MB-1GB Bloom Filter of all breached passwords on our edge servers
Your API request sends the full SHA-256 hash (never plain text)
We check locally against our Bloom Filter (no external API calls)
Response in ~10-50ms (vs. ~200ms for HIBP API)
Complete privacy - your hash never leaves our infrastructure

Bloom Filter Advantages

Feature	k-Anonymity (Free)	Bloom Filter (Paid API)
Privacy Level	High (k≈500)	Maximum (1:1)
Latency	~200ms	~10-50ms
External Dependencies	HIBP API	None (self-hosted)
False Positive Rate	0%	~0.0001% (negligible)
Uptime Guarantee	HIBP SLA	99.9% SLA (Enterprise)

Note: Even with Bloom Filter, you should always send the SHA-256 hash of the password, never the plain text. Our API will reject any plain text password submissions.

🏢 MSP & Enterprise Use Cases

For Managed Service Providers (MSPs) and enterprises, we offer specialized deployment options:

Enterprise Features

White-label API - Brand it as your own security tool
Multi-tenant dashboard - Manage multiple client organizations
Custom breach lists - Add your own threat intelligence feeds
Air-gapped deployment option - For highly regulated industries
SOC 2 Type 2 compliance - Audit logs and compliance reports

On-Premise / Private Cloud Options

For organizations that require complete data sovereignty:

Self-hosted Bloom Filter (Docker container)
Monthly breach database updates via secure transfer
No internet connectivity required after initial setup
Perfect for defense, financial services, healthcare sectors

Interested in MSP or Enterprise partnership? Contact us at sales@mypasswordchecker.com for custom pricing and deployment options.

⚖️ How We Compare to Competitors

Feature	MyPasswordChecker	Typical Competitor
Client-Side Processing	✅ Yes (100% browser)	❌ Sends to server
Breach Check Privacy	✅ k-Anonymity (k≈500)	⚠️ Varies (often full hash)
Common Password List	✅ 10K local (71KB)	❌ Limited or server-side
Quantum Resistance Scoring	✅ Yes (unique feature)	❌ Not offered
API Bloom Filter Option	✅ Yes (paid tiers)	❌ Not offered
Open Source Client	✅ Yes (auditable)	⚠️ Varies
MSP/Enterprise Options	✅ Yes	⚠️ Limited

📚 Security Best Practices

For Users

Use our tool to test passwords before using them on real accounts
Never reuse passwords across different services
Aim for 80+ bits of entropy (our tool shows this)
If your password appears in breaches, change it immediately
Consider using a password manager for unique passwords

For Developers (API Users)

Always hash passwords client-side before sending to our API
Use SHA-256 for hashing (SHA-1 accepted for HIBP compatibility)
Implement rate limiting on your end (our API has quotas)
Cache common password checks to reduce API calls
Follow our API documentation for best practices

// Example: Secure API usage
const password = userInput; // Never log this!

// Hash client-side
const hash = await crypto.subtle.digest('SHA-256',
    new TextEncoder().encode(password)
);
const hashHex = Array.from(new Uint8Array(hash))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');

// Send only hash to API
const response = await fetch('https://api.mypasswordchecker.com/v1/check', {
    method: 'POST',
    headers: {
        'Authorization': 'Bearer YOUR_API_KEY',
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({ hash: hashHex })
});
                

🔧 Technical Specifications

Cryptographic Standards

Hashing: SHA-1 (HIBP compatibility), SHA-256 (recommended), SHA-512 (future)
Entropy Calculation: Shannon entropy (bits)
Pattern Matching: Zxcvbn v4.4.2
Common Passwords: Top 10K from SecLists (danielmiessler)
Bloom Filter: BinaryFuse8 (planned), FPR ~0.0001%

Infrastructure

Hosting: Cloudflare Pages (CDN distribution)
API: Cloudflare Workers (edge computing)
Database: Cloudflare D1 (SQLite)
Storage: Cloudflare R2 (Bloom filters, future)
Uptime: 99.9% SLA (Enterprise tier)

Compliance & Certifications

SOC 2 Type 2 (in progress - Q2 2026)
GDPR compliant (EU data residency available)
CCPA compliant (California privacy rights)
HIPAA-ready (BAA available for Enterprise)
ISO 27001 (planned - 2026)

❓ Security & Privacy FAQs

Can you see my password?

No. For the free password checker, your password never leaves your browser. For API users, only cryptographic hashes are transmitted, never plain text passwords.

How is k-anonymity different from just hashing?

Hashing alone isn't enough because the same password always produces the same hash. k-anonymity goes further by only revealing the first 5 characters of the hash, making it impossible to determine which specific password you're checking.

What if HIBP API is down?

Our free tool will continue to work for strength analysis and common password checks. The breach check feature will show an error. Paid API tiers will use our Bloom Filter (when available) with zero dependency on external services.

Do you store API requests?

We log metadata (timestamp, API key, endpoint, response code) for billing and abuse prevention, but never log password hashes or any password-related data. See our Privacy Policy for details.

Is quantum resistance real?

Our "quantum resistance" scoring is theoretical and educational. Current quantum computers cannot crack passwords (they target encryption keys). However, longer passwords with higher entropy will be more resistant to future quantum attacks. We provide this scoring to future-proof your security posture.

Can I audit your code?

Yes! Our client-side JavaScript is unminified and readable. You can view the source code in your browser's developer tools. We plan to open-source our client library on GitHub in 2026.

📖 Additional Resources

About & FAQ - General information and common questions
Privacy Policy - Legal privacy commitments
Terms of Service - Usage terms and limitations
API Documentation - Technical integration guides
HIBP k-Anonymity Model - Learn more about k-anonymity
Troy Hunt's Pwned Passwords - The source of our breach data

🛡️ Privacy & Security Architecture

Our Privacy Commitment