A Python-based toolkit for password strength analysis, hash identification & cracking, secure password generation, and breach database checking, built to demonstrate cryptographic security fundamentals.
Overview • Features • Tech Stack • Installation • Usage • Architecture • Project Structure • Concepts • Contributing
This toolkit provides four core password security capabilities through both an interactive CLI menu and direct command-line arguments:
| Module | Description |
|---|---|
| Password Strength Analyzer | Evaluates passwords using entropy calculation, pattern detection, character analysis, and real-world weakness checks (keyboard walks, common substitutions, dictionary words) |
| Hash Identifier & Cracker | Identifies hash types (MD5, SHA-1, SHA-256, bcrypt, etc.) and performs dictionary, rule-based, and brute-force attacks |
| Secure Password Generator | Creates cryptographically secure passwords and passphrases with configurable policies and entropy reporting |
| Breach Checker | Checks if a password has appeared in known data breaches using the Have I Been Pwned API with k-anonymity (your password is never sent over the network) |
Why this project? It demonstrates understanding of cryptographic hashing, entropy, authentication security, and responsible password practices core knowledge for any cybersecurity role.
- Shannon entropy calculation
- Character class diversity scoring
- Common pattern detection (keyboard walks, repeated chars, sequences)
- L33tspeak reversal and dictionary matching
- NIST SP 800-63B compliance checking
- Estimated crack time calculation
- Detailed scoring with actionable feedback
- Auto-detection of 10+ hash types by format/length
- Dictionary attack with wordlist support
- Rule-based attack (append numbers, capitalize, l33tspeak, reverse)
- Brute-force attack with configurable charset and length
- Multi-hash cracking support
- Performance benchmarking (hashes/second)
- Cryptographically secure random generation (
secretsmodule) - Configurable length, character classes, and policies
- Passphrase generation (Diceware-style)
- Pronounceable password generation
- Batch generation with deduplication
- Entropy reporting for each generated password
- Have I Been Pwned API v3 integration
- k-anonymity model (only first 5 chars of SHA-1 hash sent)
- Breach count reporting
- Offline hash list checking support
| Category | Technology | Purpose |
|---|---|---|
| Language | Python 3.8+ | Core application logic |
| Standard Library | hashlib |
MD5, SHA-1, SHA-256 hash computation |
| Standard Library | secrets |
Cryptographically secure random generation |
| Standard Library | argparse |
CLI argument parsing |
| Standard Library | math (log2) |
Entropy calculation |
| Standard Library | itertools |
Brute-force character permutations |
| Standard Library | re |
Pattern detection (keyboard walks, sequences) |
| Dependency | requests ≥ 2.31.0 |
HTTP client for Have I Been Pwned API |
| Dependency | colorama ≥ 0.4.6 |
Cross-platform colored terminal output |
| Dependency | tabulate ≥ 0.9.0 |
Pretty-print result tables |
| API | Have I Been Pwned v3 | Breach database (k-anonymity model) |
| Testing | unittest |
Unit test framework |
- Python 3.8 or higher
- pip (Python package manager)
- Internet connection (for breach checking only)
# Clone the repository
git clone https://github.com/zishnusarker/password-security-toolkit.git
cd password-security-toolkit
# Create and activate virtual environment
python -m venv venv
# Windows
venv\Scripts\activate
# Linux / macOS
source venv/bin/activate
# Install dependencies
pip install -r requirements.txtpython password_toolkit.py --helpLaunch the interactive menu for guided usage:
python password_toolkit.py╔═══════════════════════════════════════════════╗
║ PASSWORD SECURITY TOOLKIT ║
╚═══════════════════════════════════════════════╝
Choose an option:
1 - Analyze password strength
2 - Crack a hash
3 - Generate secure passwords
4 - Check for breaches
5 - Identify hash type
0 - Exit
# Analyze a single password
python password_toolkit.py analyze "MyP@ssw0rd123"
# Analyze passwords from a file
python password_toolkit.py analyze --file passwords.txt# Dictionary attack (default)
python password_toolkit.py crack 5f4dcc3b5aa765d61d8327deb882cf99
# Rule-based attack
python password_toolkit.py crack 5f4dcc3b5aa765d61d8327deb882cf99 --mode rules
# Brute-force attack (max 6 chars)
python password_toolkit.py crack 5f4dcc3b5aa765d61d8327deb882cf99 --mode brute --max-length 6
# Crack hashes from file with custom wordlist
python password_toolkit.py crack --file hashes.txt --wordlist wordlists/common_passwords.txt# Generate 5 random passwords (default: 16 chars)
python password_toolkit.py generate
# Custom length and count
python password_toolkit.py generate --length 20 --count 10
# Passphrase mode
python password_toolkit.py generate --mode passphrase --words 5
# Pronounceable password
python password_toolkit.py generate --mode pronounceable --length 12
# PIN generation
python password_toolkit.py generate --mode pin --length 8# Check a single password
python password_toolkit.py breach "password123"
# Check passwords from file
python password_toolkit.py breach --file passwords.txtpython password_toolkit.py identify 5f4dcc3b5aa765d61d8327deb882cf99╔═══════════════════════════════════════════════╗
║ PASSWORD STRENGTH ANALYZER ║
╚═══════════════════════════════════════════════╝
Password: P@ssw0rd123
┌─────────────────────────────────────────┐
│ Overall Score: 35/100 [██████░░░░░░░] │
│ Rating: WEAK │
│ Entropy: 36.2 bits │
│ Crack Time: ~3 hours (offline) │
└─────────────────────────────────────────┘
✓ Length: 11 characters (adequate)
✓ Has uppercase and lowercase
✓ Has numbers
✓ Has special characters
✗ Contains common password pattern: "P@ssw0rd"
✗ Uses predictable l33tspeak: a→@, o→0
✗ Appears in common password lists
✗ Sequential numbers appended: "123"
Suggestions:
→ Use 16+ characters for strong security
→ Avoid dictionary words with substitutions
→ Consider a random passphrase: "correct-horse-battery-staple"
→ Use a password manager for unique passwords
┌─────────────────────────────────────────────────────────────┐
│ MAIN CONTROLLER │
│ (password_toolkit.py) │
│ │
│ CLI Parser ←→ Interactive Menu │
├──────────┬──────────┬──────────────┬────────────────────────┤
│ Strength │ Hash │ Password │ Breach │
│ Analyzer │ Cracker │ Generator │ Checker │
│ │ │ │ │
│ Entropy │ Identify │ Secure Random│ HIBP API │
│ Patterns │ Dict Atk │ Passphrases │ k-Anonymity │
│ Scoring │ Rules │ Policies │ Offline Check │
│ Feedback │ Brute │ Batch Gen │ Breach Count │
├──────────┴──────────┴──────────────┴────────────────────────┤
│ SHARED UTILITIES │
│ (utils.py - Colors, Banners, Helpers) │
└─────────────────────────────────────────────────────────────┘
password-security-toolkit/
├── password_toolkit.py # Main CLI entry point & interactive menu
├── requirements.txt # Python dependencies with versions
├── LICENSE # MIT License
├── README.md # Project documentation (this file)
├── CONTRIBUTING.md # Contribution guidelines
├── .gitignore # Git ignore rules
│
├── modules/ # Core functionality modules
│ ├── __init__.py # Package initializer
│ ├── strength_analyzer.py # Password strength analysis engine
│ ├── hash_cracker.py # Hash identification and cracking
│ ├── password_generator.py # Secure password/passphrase generation
│ ├── breach_checker.py # Have I Been Pwned API integration
│ └── utils.py # Shared utilities, colors, banners
│
├── wordlists/ # Wordlists for cracking & generation
│ ├── common_passwords.txt # Top 1000 common passwords
│ └── passphrase_words.txt # Word list for passphrase generation
│
└── tests/ # Unit tests
├── __init__.py
└── test_toolkit.py # Test suite for all modules
Despite the push toward passwordless authentication (FIDO2, passkeys), passwords remain the primary authentication mechanism for most systems. According to Verizon's DBIR, compromised credentials are involved in over 80% of web application breaches.
Entropy measures the unpredictability of a password in bits. Higher entropy = harder to crack.
Formula: E = L × log₂(C) where L = length, C = character set size
| Entropy (bits) | Security Level |
|---|---|
| ~40 bits | Crackable in minutes |
| ~60 bits | Resistant to online attacks |
| ~80 bits | Resistant to offline brute-force |
| 128+ bits | Cryptographically strong |
| Algorithm | Output | Status | Use Case |
|---|---|---|---|
| MD5 | 128-bit | Broken - rainbow tables crack most instantly | Legacy systems only |
| SHA-1 | 160-bit | Deprecated - collision attacks proven | Avoid for new systems |
| SHA-256 | 256-bit | Secure for integrity, but too fast for passwords | File integrity, signatures |
| bcrypt | Variable | Industry standard - adaptive, salted, slow | Password storage |
| Argon2 | Variable | Best practice - PHC winner | Modern password storage |
1. "How do you calculate password entropy?"
- Entropy = Length × log₂(CharacterSetSize)
- A 12-char password using lowercase+uppercase+digits+symbols: 12 × log₂(95) ≈ 78.8 bits
- This represents the theoretical maximum; patterns and dictionary words reduce effective entropy
2. "Why is bcrypt better than SHA-256 for passwords?"
- SHA-256 is designed to be fast - billions of hashes/second on modern GPUs
- bcrypt is intentionally slow with a configurable work factor
- bcrypt includes a built-in salt preventing rainbow table attacks
- Speed that's good for file verification is bad for password storage
3. "How does the HIBP breach check protect the actual password?"
- Uses k-anonymity: hash the password with SHA-1, send only the first 5 characters
- API returns all hashes starting with those 5 chars (~500 results)
- We check locally if the full hash is in the results
- The actual password or full hash never leaves the machine
4. "What makes a password truly strong?"
- Length is the most important factor (entropy scales linearly with length)
- Randomness matters more than complexity rules
- A 20-character random passphrase beats an 8-character complex password
- Must not appear in any breach database
- Should be unique per service (credential stuffing defense)
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-module) - Commit your changes (
git commit -m "Add new module") - Push to the branch (
git push origin feature/new-module) - Open a Pull Request
Educational purposes only. The hash cracking module is intended for recovering your own passwords and understanding password security. Never use it against systems or data you don't own. Always follow responsible disclosure practices.
This project is licensed under the MIT License, see the LICENSE file for details.