Cybersecurity tools

Password and security utilities that run entirely in your browser. Nothing you type, paste or generate gets sent to anyone's server. That matters more here than almost anywhere else: a password generator that uploads your password is, well, exactly the thing you should be worried about.

What these tools are quietly trying to fix

The reason most people end up with bad passwords isn't laziness. It's that the security advice they've been given for the last twenty years has been a moving target, often contradictory, and almost always delivered as a scolding rather than an explanation. "Use a strong password" is not advice if nobody tells you what strong means. "Change it every ninety days" was the official guidance for a decade, then quietly reversed by NIST when the data came in showing it made things worse. No wonder people pick "Password1!" and call it a day.

The tools here try to replace the scolding with something measurable. Entropy in bits, a number you can actually compare. Crack-time estimates against three different threat models, because "an attacker" covers anything from a teenager with a laptop to a state-sponsored cluster. A breach risk score that asks about your real habits rather than your aspirational ones. None of it requires a security degree. All of it gives you something concrete to act on.

Where the inputs come from

For password tools, the input is the password itself, and the only sensible place for it to be assessed is on your own machine. That's why the Password Strength Calculator and the Password Generator never call out to a server. The breach-list lookup uses the k-anonymity API model, where only a partial hash prefix leaves your browser, never the full password.

For breach risk and cost estimation, the inputs are the ones nobody likes writing down: how many staff, how many records of personal data, what sector you sit in, what your detection and response posture genuinely looks like. Be honest about it. The Data Breach Risk Score is only as useful as the answers you put in, and the temptation to tick "yes we patch promptly" when really it's "we get to it eventually" is the same temptation that causes the breach in the first place. Pull patch logs, MFA coverage reports, and incident-response runbook dates if you have them. If you don't, that absence is itself a finding.

Mistakes that turn good intentions into bad outcomes

The first is reusing passwords across sites. One breach somewhere unimportant becomes a breach of your email, your bank and your work account, all in the time it takes an attacker to run credential stuffing. A password manager and a unique password per site is the single highest-impact change most people can make. The Diceware-style passphrases this section can generate are designed to be memorable for the handful you actually have to type by hand: the master password, the device unlock, the recovery codes you keep on paper.

The second is treating two-factor authentication as a tickbox. SMS-based 2FA is meaningfully better than nothing, but SIM-swap attacks are a real and current threat. App-based or hardware-token 2FA is genuinely strong. The 2FA / TOTP Window Calculator lets you reason about the acceptance window your service is using, which is the kind of detail most "is 2FA enough" conversations skip.

The third is forgetting about certificates. An expired SSL certificate is, depending on the day, either an embarrassing afternoon or a full-day outage that costs real revenue. Renewals get missed because the calendar reminder lived in someone's inbox who left two years ago. The SSL Certificate Expiry Calculator gives you a renewal-by date well in advance of the actual expiry, which is the only date worth caring about.

Picking between the tools

If you're worried about a single password, start with the strength calculator. If you need a new one, the generator. If you're worried about your overall posture, the breach risk score gives you a prioritised fix list. If you're building a business case for security spend, the breach cost estimator gives you a defensible range to put in the slide deck. Each tool answers one clear question, which is the only honest way to do this.

  • Password Strength Calculator

    Test how strong a password really is. Entropy in bits, breach-list check, and crack-time estimates at three threat models. Runs entirely in your browser, so nothing you type leaves the device.

  • Password Generator

    Cryptographically secure passwords and passphrases, generated entirely in your browser using crypto.getRandomValues. Length slider, character class toggles, pronounceable mode, and an EFF-style passphrase mode with selectable separators. Live entropy and crack-time estimates. Nothing leaves the device.

  • Data Breach Risk Score

    Self-assess your breach exposure across passwords, 2FA, software hygiene and phishing awareness. Get a risk score, a category from Low to Critical, and a prioritised fix list. All in your browser.

  • Data Breach Cost Estimator

    Estimate the financial impact of a data breach using IBM/Ponemon 2024 benchmarks. Per-record cost by sector, regional and sensitivity multipliers, GDPR and CCPA fine estimates, and a low/high range to plan against.

  • Hash Generator

    Generate SHA-256, SHA-384, SHA-512 and SHA-1 hashes from text or files. Uses Web Crypto in your browser. Drag a 100MB file in, the hash never leaves the device.

  • Diceware Passphrase Generator

    Generate a memorable passphrase by drawing words from the EFF short wordlist (1,296 words) using crypto.getRandomValues. Pick word count, separator and capitalisation, see honest entropy figures and a plain-English read of what they resist. Browser-only.

  • SSL Certificate Expiry Calculator

    Paste an expiry date, or the openssl text dump of a certificate, and get days remaining, an urgency band, and the date to set the renewal reminder for. Date arithmetic only, no network call, no live validation.

  • 2FA / TOTP Window Calculator

    Reason about your TOTP authentication window. Period, digits, drift and clock skew in; effective acceptance window in seconds, per-attempt brute-force odds expressed as 1-in-N, attempts-per-second to a 50% guess inside one period, and a recommended drift setting based on your skew tolerance. Browser-only, RFC 6238.

Frequently asked questions

What makes a password actually strong?

Length first, character variety second. A 16-character random string of mixed-case letters and numbers is significantly stronger than an 8-character one with symbols sprinkled in. The Password Strength Calculator scores your password on length, character set, common-password lists and dictionary words, and shows estimated time to crack at modern GPU speeds.

Are passphrases better than passwords?

For human memorability, yes. Four random English words from a Diceware list (correct-horse-battery-staple) is roughly as strong as a 12-character random password and far easier to recall. The Diceware Passphrase Generator rolls genuinely random words from the standard 7,776-word list.

How long until my password gets cracked in a breach?

If a site stores passwords properly (bcrypt or argon2), even an 8-character random password takes years to brute-force. If they store them poorly (MD5, SHA-1, or plain text), the same password falls in under a second on a modern GPU. Assume the worst, use a unique long password per site, and let a password manager remember them.

What does the TOTP window do and why does it matter?

TOTP codes (the six digits in Google Authenticator and similar) change every 30 seconds. A "window" is how many adjacent codes a server will accept to allow for clock drift. A wider window is more user-friendly but slightly weaker against brute force. The 2FA / TOTP Window Calculator shows the security trade-off for any window size.

Is my data being sent anywhere when I use these tools?

No. Every cybersecurity tool here runs entirely in JavaScript on your device. Passwords you generate, hashes you compute, passphrases you roll: none of it touches a server. You can disconnect from the network and the tools still work. That is the point.

Why a browser-only password tool is the only kind worth using

Plenty of "free password generator" sites work by sending your generated password back to the server, or logging the seed they used. Even when they don't, the password has briefly existed on someone else's machine. For a tool whose entire purpose is generating something nobody else should ever see, that is the wrong architecture.

Everything in this section uses your own browser's cryptographic primitives: the Web Crypto API for hashing, crypto.getRandomValues for entropy, and pure JavaScript for the rest. If your Wi-Fi dropped while you were generating a password, the tool would still work. Open the page, disconnect, generate a password, copy it, close the tab. Nothing leaves the device.