Password Strength Checker

Password strength checker built with ASP.NET Core and React.

The backend evaluates user-entered passwords with zxcvbn-core, performs breach lookups through the Have I Been Pwned range API, and exposes the result through a simple HTTP API consumed by the frontend. The UI includes separate Analyze password and Generate password modes, with a details panel for the analysis workflow and a dedicated validation view for generated passwords.

This repository is intended for technical review and demonstration. It is structured with pre-production-oriented practices in mind, including repository hygiene, dependency reproducibility, CI validation, and practical web/API security controls.

Screenshots

Analyze Password

Generate Password

Compromised Password Detection

Features

• Analyze password mode with Bitwarden-aligned zxcvbn-based scoring and market-aligned crack-time estimates
• Generate password mode with cryptographically secure randomness and generator-aware validation
• Composition checks for length, uppercase, lowercase, digits, and symbols
• Breach lookup through the HIBP range API
• Details panel for analysis steps and breach-check workflow visibility
• Structured response with warnings, recommendations, transparency details, and analysis metadata
• Backend tests with xUnit

Stack

• .NET 8 Web API
• React 19 with Vite
• zxcvbn-core
• xUnit

Project Structure

• api/: ASP.NET Core API
• client/: React frontend
• tests/: backend test project

Prerequisites

• .NET 8 SDK
• Node.js 22+

Configuration

• Copy client/.env.example to client/.env only if you need to override the default API base URL.
• Default frontend API base URL: http://localhost:5000/api
• Supported frontend variable: VITE_API_BASE_URL
• Default local frontend origins are defined in api/appsettings.json under Cors:AllowedOrigins.
• Adjust Cors:AllowedOrigins before using a non-local frontend origin.

Run Locally

Backend:

dotnet restore PasswordStrengthChecker.sln
dotnet run --project api/PasswordStrengthChecker.Api.csproj --urls http://localhost:5000

The API is available at http://localhost:5000/api.

Frontend:

cd client
npm ci
npm run dev

The frontend runs at http://localhost:5173.

Test

dotnet test PasswordStrengthChecker.sln

API Example

Analyze request:

POST /api/password/check
Content-Type: application/json

{
  "password": "9d]eZUv?M3CRZ",
  "analysisMode": "analyze",
  "includeBreachLookup": true
}

Generate request:

POST /api/password/check
Content-Type: application/json

{
  "password": "Vx7!mQ2#rL9@pD4$",
  "analysisMode": "generate",
  "includeBreachLookup": false,
  "generatorOptions": {
    "length": 16,
    "includeUppercase": true,
    "includeLowercase": true,
    "includeDigits": true,
    "includeSymbols": true
  }
}

Representative response shape:

{
  "score": 3,
  "strengthLevel": "Strong",
  "recommendations": [],
  "warnings": [],
  "hasMinLength": true,
  "hasUpper": true,
  "hasLower": true,
  "hasDigit": true,
  "hasSpecialChar": true,
  "hasNoWeakPattern": true,
  "isPwned": false,
  "pwnedCount": 0,
  "crackTimeDisplay": "32 years",
  "crackTimeReference": "zxcvbn | market-aligned estimate | 1e4 guesses/s",
  "entropy": 43.2,
  "analysisMode": "analyze",
  "entropySource": "zxcvbn-estimated-guesses",
  "breachCheckPerformed": true
}

The exact values depend on the evaluated password, the analysis mode, and the HIBP lookup result.

Security Notes

• The backend applies rate limiting on the password check endpoint.
• Security headers are added at the application level.
• HIBP lookups use the range API, which sends only the SHA-1 prefix required by the k-anonymity protocol.
• Analyze password uses a zxcvbn-based estimator with a market-aligned crack-time display.
• Generate password uses generator-character-space calculations instead of human-password heuristics.
• This repository is intended for demonstration and technical review. Production use still requires deployment-specific hardening, HTTPS termination, monitoring, and operational controls.