A GUI tool that scores your password instantly… and brutally demonstrates why most passwords would not survive 5 minutes against a GPU.
Why I Made This
During CTFs and security labs, I kept noticing something funny.
We spend hours learning:
- SQL Injection
- Privilege Escalation
- Memory corruption
- Network attacks
But in real breaches?
Attackers usually log in.
Not hack in.
They don’t defeat encryption.
They defeat human behavior.
And the weakest point is always the same thing:
passwords.
So instead of another terminal script, I wanted something educational.
A tool that reacts while you type and visually shows:
how a computer actually sees your password.
That became PassAudit.
The Problem With Typical Password Checkers
Most websites use rules like:
- 8 characters minimum
- 1 uppercase
- 1 number
- 1 symbol
So users create:
Hafiz@123
Technically complex.
Practically terrible.
Because attackers don’t guess passwords the way humans imagine.
They don’t “try combinations”.
They calculate probability and search space.
A password can look complicated and still be mathematically tiny.
I wanted a tool that proves that instantly.
What PassAudit Actually Does
PassAudit analyzes your password on every keystroke.
No submit button.
As you type, it updates:
• entropy score
• crack time estimate
• character diversity
• pattern detection
• dictionary detection
• security verdict
The strength bar moves in real time.
You can literally watch your password become safer or collapse into red.
The Core Idea: Entropy
The real measure of password strength is entropy.
Entropy represents unpredictability.
Formula:
entropy = length × log₂(character_set_size)
Character set size depends on what you use:
| Characters | Possibilities |
|---|---|
| lowercase | 26 |
| uppercase | 26 |
| numbers | 10 |
| symbols | ~32 |
So a long password made only of lowercase letters is still weak.
Because the search space stays small.
Security isn’t about complexity.
It’s about possibilities.
The Scariest Feature: Crack Time
PassAudit estimates how long a real attacker needs to brute-force the password.
It assumes:
10 billion guesses per second
Which modern GPUs can realistically achieve in offline attacks.
Calculation:
time = 2^entropy / guesses_per_second
Example results:
| Password | Crack Time |
|---|---|
| password123 | seconds |
| Qwerty@123 | minutes |
| Tr0ub4dor&3 | hours |
| random 16-char | thousands of years |
The important part:
Security grows exponentially, not linearly.
One unpredictable character can multiply safety by millions.
Catching Human Habits
While testing, I discovered something interesting.
People don’t invent randomness.
They invent memories.
So I added behavior detections.
1. Dictionary Detection
If a password contains common words:
password
admin
welcome
letmein
the verdict drops immediately.
Because real attackers don’t brute force first.
They run wordlists like rockyou.txt.
2. Keyboard Pattern Detection
This one was eye-opening.
Patterns like:
qwerty
asdf
12345
appear constantly in breached databases.
Humans remember finger motion, not randomness.
Attackers know that.
3. Character Diversity
The tool also checks if the password uses:
- lowercase
- uppercase
- numbers
- symbols
Each category lights up visually.
You instantly see what your password lacks.
Verdict Logic
PassAudit classifies passwords using strict thresholds:
| Verdict | Meaning |
|---|---|
| WEAK | entropy < 40 OR predictable patterns |
| MODERATE | usable but risky |
| STRONG | high entropy, no flags |
Below 40 bits, modern cracking rigs can recover passwords extremely quickly.
Above 60 bits, brute force becomes impractical.
What Surprised Me
I asked friends to create a “secure password”.
Most looked like:
Name@2024
College#1
Petname123
Different people.
Same structure.
Humans optimize for remembering.
Attackers optimize for predicting.
And prediction wins.
Code Walkthrough (How PassAudit Actually Works)
PassAudit is divided into two parts:
- The security analysis engine
- The graphical interface
The GUI only displays information.
All decisions are made by the analysis functions.
1. Entropy Calculation
The core of the project is this function:
def calc_entropy(password: str) -> float:
charset = 0
if re.search(r"[a-z]", password): charset += 26
if re.search(r"[A-Z]", password): charset += 26
if re.search(r"[0-9]", password): charset += 10
if re.search(r"[^a-zA-Z0-9]", password): charset += 32
if charset == 0: return 0.0
return round(len(password) * math.log2(charset), 2)
Instead of checking only password length, the program first determines how many possible characters could have been used.
Each character category increases the search space:
- lowercase letters add 26 possibilities
- uppercase letters add 26
- digits add 10
- symbols add about 32
The entropy formula:
entropy = length × log₂(charset_size)
This represents how many guesses an attacker needs on average.
So two 10-character passwords can have completely different strength depending on the character types used.
2. Dictionary Detection
Attackers rarely brute-force first.
They use wordlists.
This function checks if the password contains common leaked passwords:
def dictionary_check(password: str) -> bool:
pl = password.lower()
return any(w in pl for w in COMMON_PASSWORDS)
If the password contains words like:
password
admin
welcome
letmein
the tool immediately flags it as dangerous.
Why?
Because tools like Hashcat try millions of known passwords before attempting brute force.
3. Keyboard Pattern Detection
Humans often remember motion, not randomness.
So the program checks keyboard walks:
def pattern_check(password: str) -> bool:
pl = password.lower()
return any(p in pl for p in KEYBOARD_PATTERNS)
Patterns such as:
qwerty
asdf
12345
are extremely common in breach databases.
Even if they look complex to a human, they are predictable to an attacker.
4. Character Diversity
This function counts how many different character groups are used:
def diversity(password: str) -> int:
types = 0
if re.search(r"[a-z]", password): types += 1
if re.search(r"[A-Z]", password): types += 1
if re.search(r"[0-9]", password): types += 1
if re.search(r"[^a-zA-Z0-9]", password): types += 1
return types
It returns a number from 0 to 4.
The GUI then lights up indicators for:
- lowercase
- uppercase
- digits
- symbols
This gives instant visual feedback about missing categories.
5. Crack Time Estimation
This is the most impactful feature psychologically.
secs = (2 ** entropy) / 10_000_000_000
The program assumes an attacker can test 10 billion guesses per second using modern GPUs.
Then it converts seconds into a human readable format like minutes, hours, days, or years.
Users immediately understand the difference between:
“hard to guess” and “mathematically impossible”.
6. The Verdict System
The decision engine:
def get_verdict(ent, dict_hit, pat_hit):
if ent < 40 or dict_hit or pat_hit:
return "WEAK"
if ent < 60:
return "MODERATE"
return "STRONG"
This is intentionally strict.
Even a long password becomes WEAK if it contains a dictionary word or keyboard pattern.
Because real attackers prioritize predictability, not just length.
7. Real-Time Analysis (The Important Part)
The most important function in the program is the event handler:
self.pw_entry.bind("<KeyRelease>", self._on_change)
Every time the user types a character, _on_change() runs.
It:
- reads the password
- calculates entropy
- checks patterns
- updates warnings
- moves the strength bar
- updates the verdict
This is why the interface feels “alive”.
The analysis is not triggered by a button, but by typing itself.
8. Separating Logic From UI
A design decision I intentionally followed:
The GUI never performs security logic.
It only displays results from functions like:
calc_entropy()dictionary_check()pattern_check()
This makes the security engine reusable later in:
- a CLI tool
- a web application
- a login auditing system
The interface is just the dashboard.
The real work happens in the functions.
Technologies Used
- Python
- CustomTkinter (for a modern dark UI)
- regex pattern detection
- entropy mathematics
No online APIs.
No heavy security libraries.
Just math + psychology.
Screenshots
A Note on AI Assistance
One honest detail about this project.
I’m not very strong on the design side of development. I enjoy security logic, analysis, and building tools, but UI layout and visual polish have never been my area. So for the interface layout and visual structuring, I used Claude to help me shape the GUI.
The challenge itself is not an “AI-generated project”. All the security logic, entropy calculations, detections, and implementation were written and understood by me. I only used AI as a design assistant.
I see this as part of modern engineering rather than a shortcut.
Developers already rely on compilers, frameworks, linters, and libraries to handle things outside our core expertise. AI fits into that same space. It helps automate overhead work that we’re not specialized in, so we can focus on what we are actually trying to learn and build.
In my case, that focus is cybersecurity concepts, not visual design.
I believe the real skill today is not avoiding tools, but using them responsibly and understanding the code you ship.
What I Learned
I thought this would be a GUI project.
It turned into a lesson about security.
Strong passwords are not:
long words
clever substitutions
personal references
Strong passwords are:
unpredictable.
Security doesn’t usually fail because cryptography breaks.
Security fails because humans are consistent.
And computers are extremely good at exploiting consistency.
Top comments (0)