Privacy & Security

Understand exactly what Time2Crack does and does not do with your password

WHAT TIME2CRACK DOES

What Time2Crack DOES

1. Local scan in your browser

  • Receive your password Only when you type it in the field
  • Calculate in local all attack ranks (raw force, dictionary, Markov, etc.)
  • Show results directly on your screen
  • Forget the password as soon as you leave or change page

Your browser does not send the password anywhere — it only remains in local RAM memory during the scan.

2. Optional HIBP verification (Have I Been Pwned)

If you check the "Check for Known Leaks" option, Time2Crack can check if your password appears in the historical leaks. k-anonymity to protect your privacy.

How k-anonymity works

1

Calculation of hash SHA-1 (on your computer)

Time2Crack calculates the full SHA-1 hash of your password, but never leave him.

2

Extraction of prefix (5 first characters)

Only the first 5 characters of the hash are sent to HIBP. It is insufficient to identify your password.

3

Anonymous request to HIBP

HiBP returns all passwords that start with this prefix (about 500-1000 anonymous results).

4

Local comparison (on your computer)

Time2Crack compares the remaining 35 characters of the hash locally. Only your computer knows if it's a match.

Concrete example: password password

Step by step
Password: password
Complete Hash SHA-1: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

SPLIT

Sent to HIBP : 5BAA6 (5 characters = ~2,000 possible hashs)
Locally conserved : 1E4C9B93F3F0682250B6CF8331B7EE68FD8 (35 characters, never transmitted)

5BAA6 (~500-1000 results).
Time2Crack compares locally and determines whether it is a match. Your full password never leaves your device.

Why 5 characters are enough for k-anonymity: With 5 hexadecimal characters, there are 16^5 = 1,048,576 possible combinations. HIBP returns about 500-1000 results for each prefix, creating a critical mass where your password is anonymized among hundreds of others.

3. Data storage

  • Use your browser's localStorage only for user settings (language, preferences)
  • No password backup or crack time results
  • Automatically erase memory password after analysis
WHAT TIME2CRACK DOES NOT DO

What Time2Crack DOES NOT Do

1. Password transmission

  • Don't send Never your password to our servers or third parties
  • Don't send Never your password to HIBP or other services
  • Don't send Never the complete hash SHA-1 (only 5 characters)
  • Record Never passwords tested

2. Use of data

  • Keep no trace of your activity or passwords tested
  • Creates no user profile related to your personal data
  • Do not share no information with third parties (advertisers, partners, etc.)
  • Do not sell Never your data

3. Storage persists

  • Home no database user passwords
  • Save no history calculations or results
  • Does not require no user account or registration
Important

Even if Time2Crack never transmits your password, don't test your real password here if someone else looks at your screen. Use a test password or consult this tool in private.

COMPARATIVE TABLE

Summary: Fact vs. Not Done

Action Time2Crack
Calculate crack times Yes (locally)
Send full password No
Send the complete SHA-1 hash No
Send the first 5 characters of the hash (k-anonymity) Yes (if HIBP check enabled)
Save passwords No
Create a user account No
Sharing data with third parties No
Use tracking cookies No
Display ads No
Execute outsourced customer code No (zero dependencies)
VERIFICATION

How to Verify Even

1. Browser Development Tools

  1. Open the Development tools (F12 or Cmd+Option+I)
  2. Go to the tab Network (Network)
  3. Enter a test password in Time2Crack
  4. Watch network queries: you won't see that HiBP request with 5-char prefix
  5. The full password does not appear Never in requests

2. See source code

  • Time2Crack is 100% open source on Codeberg
  • The code contains zero external dependencies — it's pure JavaScript
  • You can inspect app.js and verify that:
    • Passwords are always local
    • Only the HiBP 5-char prefix is sent
    • No tracking cookie or personal analytics

3. Test in offline mode

  • You can use Time2Crack completely offline
  • Download files and open index.html Local
  • All calculations work without connection (except optional HIBP verification)
FOOTER

Questions? See FAQ or academic sources For more details on Time2Crack methodology.