Live password strength analysis + cryptographically secure passphrase generator — free, client-side only
// PRIVACY: Runs entirely in your browser. Nothing you type is ever sent, stored, or logged.
No network requests are made. No data reaches our servers. The strength engine (zxcvbn) and the
wordlist are served from the same origin as this page — zero external calls are possible.
// PASSWORD STRENGTH CHECKER
// analysis capped at 128 characters
// type a password above — strength updates as you type
--0 / 4
// ENTROPY (bits)--
// OFFLINE FAST HASH--
// ONLINE THROTTLED--
// WARNING: Found in common or previously breached password lists.
Attackers try these first. Do not use this password.
// PASSPHRASE GENERATOR
Diceware-style passphrases are long, random, and memorable — exactly what HIPAA password
policies should require. Randomness comes from
window.crypto.getRandomValues()
— never Math.random().
Word selection uses rejection sampling to eliminate modulo bias.
6
6 words ≈ 54 bits of entropy from this wordlist
// SEPARATOR
--
// ENTROPY (bits)--
// OFFLINE FAST HASH--
// ONLINE THROTTLED--
// HIPAA & PASSWORD REQUIREMENTS
Weak or reused passwords are one of the top breach vectors for healthcare practices. HIPAA's
Security Rule addresses password management directly in two places:
§164.308(a)(5)(ii)(D) — PASSWORD MANAGEMENT
HIPAA lists password management as an addressable implementation specification —
meaning you must either implement procedures for creating, changing, and safeguarding passwords,
adopt an equivalent measure, or document in writing why it is not reasonable and appropriate.
It is not optional.
§164.312(a) — ACCESS CONTROL & UNIQUE USER IDENTIFICATION
Each user must have a unique name or number for identifying and tracking user identity.
Shared logins and weak passwords directly violate this technical safeguard.
A single compromised staff credential can expose every patient record in your EHR.
OCR investigators look at password policies in every compliance review — a missing or
inadequate policy increases your exposure in all four civil penalty tiers.
// NEXT STEPS
Strong passwords are one line item in a complete access-control and password policy.
HIPAA requires documented procedures covering creation, rotation, safeguarding, and
termination workflows. Our Advanced Suite for healthcare includes a ready-to-sign
Password & Access Control Policy, a Workforce Training Record, and 15+ other
deliverables written for small practices — so you can close your policy gap without
hiring a consultant.
// DISCLAIMER — Strength estimates are based on the zxcvbn library and are
for education only. No tool can guarantee a password is unbreakable; threat models vary.
This is not legal advice. Consult qualified counsel for your specific HIPAA compliance posture.