DEV Community

Ing. Pablo Cueto
Ing. Pablo Cueto

Posted on

How I Built a Password Strength & Breach Check API with FastAPI and HaveIBeenPwned

#python #fastapi #api #security

The Problem

Most password strength checkers only validate character rules — length, uppercase, digits. But a password like Password1 passes every rule and has been breached over 2 million times.

I wanted a single API that does both: score the strength and check it against real breach data.

The Stack

  • FastAPI + Python 3.13
  • HaveIBeenPwned Pwned Passwords API v3
  • Render for deployment
  • RapidAPI for distribution

The k-Anonymity Model

The most important design decision was privacy. I never send the full password to HaveIBeenPwned. Instead:

  1. Hash the password with SHA-1
  2. Send only the first 5 characters of the hash
  3. HIBP returns all hashes that match that prefix
  4. Check locally if the full hash is in the list 
sha1_hash = hashlib.sha1(password.encode()).hexdigest().upper()
prefix = sha1_hash[:5]
suffix = sha1_hash[5:]

response = await client.get(f"https://api.pwnedpasswords.com/range/{prefix}")

for line in response.text.splitlines():
    hash_suffix, count = line.split(":")
    if hash_suffix == suffix:
        return int(count)  # Times found in breaches
Enter fullscreen mode Exit fullscreen mode

The full password never leaves your server.

The Scoring Algorithm

The strength score (0–100) combines:

  • Length — up to 35 pts (6 tiers from <6 chars to 20+)
  • Character variety — up to 40 pts (lowercase, uppercase, digits, special chars)
  • Entropy bonus — up to 25 pts based on pool entropy (length × log2(charset_size))

Plus penalties for:

  • Common passwords (password, 123456, etc.)
  • Keyboard walks (qwerty, asdfgh)
  • Repeated characters (aaa, 111)
  • Sequential patterns (123, abc)

The Endpoints

Method Route Description
POST /password/analyze Score + analysis
POST /password/breach-check HIBP breach lookup
POST /password/full-check Both in one call

Example Response 

{
  "score": 95,
  "label": "Very Strong",
  "entropy_bits": 4.0,
  "length": 16,
  "checks": {
    "has_lowercase": true,
    "has_uppercase": true,
    "has_digit": true,
    "has_special": true
  },
  "feedback": [],
  "penalties": []
}
Enter fullscreen mode Exit fullscreen mode

Try It

Available on RapidAPI as part of my Fraud Prevention Bundle alongside Email Validator, Phone Validator Pro, and IP Geolocation APIs.

Password Strength & Breach Check API on RapidAPI

Top comments (0)