Everything stays in your browser. No password is transmitted. The calculation is entirely local. The only external request is an anonymous leak check (5 first hash SHA-1 characters, never password).

Privacy & Security

Understand exactly what Time2Crack does and does not do with your password

================================================================= WHAT TIME2CRACK DOES =================================================================

What Time2Crack DOES

1. Local scan in your browser

  • Receive your password Only when you type it in the field
  • Calculate in local all attack ranks (raw force, dictionary, Markov, etc.)
  • Show results directly on your screen
  • Forget the password as soon as you leave or change page

Your browser does not send the password anywhere — it only remains in local RAM memory during the scan.

2. Optional HIBP verification (Have I Been Pwned)

If you check the "Check for Known Leaks" option, Time2Crack can check if your password appears in the historical leaks. k-anonymity to protect your privacy.

How k-anonymity works

1

Calculation of hash SHA-1 (on your computer)

Time2Crack calculates the full SHA-1 hash of your password, but never leave him.

2

Extraction of prefix (5 first characters)

Only the first 5 characters of the hash are sent to HIBP. It is insufficient to identify your password.

3

Anonymous request to HIBP

HiBP returns all passwords that start with this prefix (about 500-1000 anonymous results).

4

Local comparison (on your computer)

Time2Crack compares the remaining 35 characters of the hash locally. Only your computer knows if it's a match.

Concrete example: password password

Step by step
Password: password
Complete Hash SHA-1: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

SPLIT

Sent to HIBP : 5BAA6 (5 characters = ~2,000 possible hashs)
Locally conserved : 1E4C9B93F3F0682250B6CF8331B7EE68FD8 (35 characters, never transmitted)

5BAA6 (~500-1000 results).
Time2Crack compares locally and determines whether it is a match. Your full password never leaves your device.

Why 5 characters are enough for k-anonymity: With 5 hexadecimal characters, there are 16^5 = 1,048,576 possible combinations. HIBP returns about 500-1000 results for each prefix, creating a critical mass where your password is anonymized among hundreds of others.

3. Data storage

  • Use your browser's localStorage only for user settings (language, preferences)
  • No password backup or crack time results
  • Automatically erase memory password after analysis
================================================================= WHAT TIME2CRACK DOES NOT DO =================================================================

What Time2Crack DOES NOT Do

1. Password transmission

  • Don't send Never your password to our servers or third parties
  • Don't send Never your password to HIBP or other services
  • Don't send Never the complete hash SHA-1 (only 5 characters)
  • Record Never passwords tested

2. Use of data

  • Keep no trace of your activity or passwords tested
  • Creates no user profile related to your personal data
  • Do not share no information with third parties (advertisers, partners, etc.)
  • Do not sell Never your data

3. Storage persists

  • Home no database user passwords
  • Save no history calculations or results
  • Does not require no user account or registration
Important

Even if Time2Crack never transmits your password, don't test your real password here if someone else looks at your screen. Use a test password or consult this tool in private.

================================================================= COMPARATIVE TABLE =================================================================

Summary: Fact vs. Not Done

Action Time2Crack
Calculate crack times Yes (locally)
Send full password No
Send the complete SHA-1 hash No
Send the first 5 characters of the hash (k-anonymity) Yes (if HIBP check enabled)
Save passwords No
Create a user account No
Sharing data with third parties No
Use tracking cookies No
Display ads No
Execute outsourced customer code No (zero dependencies)
================================================================= VERIFICATION =================================================================

How to Verify Even

1. Browser Development Tools

  1. Open the Development tools (F12 or Cmd+Option+I)
  2. Go to the tab Network (Network)
  3. Enter a test password in Time2Crack
  4. Watch network queries: you won't see that HiBP request with 5-char prefix
  5. The full password does not appear Never in requests

2. See source code

  • Time2Crack is 100% open source on Codeberg
  • The code contains zero external dependencies — it's pure JavaScript
  • You can inspect app.js and verify that:
    • Passwords are always local
    • Only the HiBP 5-char prefix is sent
    • No tracking cookie or personal analytics

3. Test in offline mode

  • You can use Time2Crack completely offline
  • Download files and open index.html Local
  • All calculations work without connection (except optional HIBP verification)
================================================================= FOOTER =================================================================

Questions? See FAQ or academic sources For more details on Time2Crack methodology.