passwordsentinel is an opinionated Python CLI for password analysis.
It does not try to be a perfect cryptographic oracle. It tries to answer the practical question most people actually have:
How bad is this password, why, and should I trust it?
Instead of returning a vague strength bar, passwordsentinel produces a
verdict, a score, a rough entropy estimate, a crude crack-time guess, and a
list of strengths and weaknesses that explain what happened.
It grades passwords as:
highly securesecuremehbadCHANGE IT NOW
Most password checkers are either too shallow or too theatrical.
Some only care about length and character classes. Others wave a dramatic
"strong" label over obviously weak patterns like Password123! because the
string is long enough and contains punctuation. That is not good enough.
I wanted a tool that is still small enough to understand, but serious enough to catch the boring real-world failures:
- common passwords with cosmetic noise
- dictionary words with numbers stapled on
- years and date-shaped strings
- keyboard walks like
qwertyand1234 - repeated chunks and repeated characters
- passwords that look random only because they are mixed-format, not because they are actually hard to guess
This project is deliberately explainable. Every strong or weak result should be traceable to readable logic.
passwordsentinel combines multiple lightweight checks into one score.
- long overall length
- multiple character classes
- higher estimated search space
- intentionally mixed structure
- enough variety to avoid collapsing into cheap brute-force or dictionary space
- exact matches to common-password patterns
- common-password stems disguised with cheap suffixes or symbols
- dictionary-like fragments
- year-like patterns such as
1998or2024 - date-shaped formats like
2001-09-09 - alphabetical or keyboard sequences
- repeated characters like
aaaa - repeated chunks like
abcabcabc
The score is intentionally opinionated rather than mathematically pure.
Entropy by itself can be misleading. A password like Password123! may appear
to have decent entropy if you only count length and character classes, but that
completely ignores the way attackers actually work. Real attackers prioritize
common patterns, dictionary variants, dates, names, and cheap mutations before
they ever touch full brute force.
So this tool does two things at once:
- It estimates the broad search space from length and charset size.
- It subtracts heavily for patterns that humans predictably choose.
That combination is the point.
The default output is a readable report.
Example:
python3 /root/passwordsentinel/passwordsentinel.py --password 'Lime!Orbit_47_Cinder%Glass'Example output:
Verdict: highly secure
Score: 89/100
Length: 26
Estimated entropy: 170.82 bits
Crack-time guess: centuries+
Strengths:
- Very long password length
- Uses multiple character classes
- High estimated entropy
Bad example:
python3 /root/passwordsentinel/passwordsentinel.py --password 'Password123!'Example output:
Verdict: CHANGE IT NOW
Score: 18/100
Length: 12
Estimated entropy: 78.84 bits
Crack-time guess: centuries+
Strengths:
- Reasonable password length
- Uses multiple character classes
Weaknesses:
- Common passwords are the first thing attackers try
- Dictionary-style fragments reduce unpredictability
Signals:
- common_password (-45): Matches a common password pattern
- dictionary_words (-6): Contains common word fragments: password
The contrast is intentional: surface-level complexity is not enough.
For integrations, machine-readable output is available:
python3 /root/passwordsentinel/passwordsentinel.py --password 'Admin123!' --jsonThis returns a JSON object containing:
scoreverdictentropy_bitscrack_time_guesssignalsstrengthsweaknesseslengthcharset_size
passwordsentinel.py: main CLI and analysis enginetests/test_passwordsentinel.py: unit tests for bad, good, and edge-case passwordspyproject.toml: minimal project metadata
The current engine includes:
- length weighting
- charset-size estimation
- entropy approximation
- common-password exact matching
- common-password stem matching with cosmetic suffix stripping
- common word fragment detection
- year detection
- date-pattern detection
- keyboard sequence detection
- alphabetical sequence detection
- repeated character run detection
- repeated chunk detection
That is already enough to catch a lot of the passwords that naive checkers rate too generously.
This project is intentionally local and lightweight.
It does not currently:
- check against massive leaked-password corpora
- estimate offline cracking cost with hardware-specific models
- understand user-specific context like names, birthdays, or company words
- integrate with breach APIs
- detect language-specific passphrase predictability beyond a small built-in set
Those would all be reasonable future expansions, but I wanted the first version to stay inspectable and fast.
passwordsentinel is supposed to sound less like a toy meter and more like a
guard standing at the edge of a decision.
That is what this tool is meant to be: a first-pass guard that tells you when a password looks stronger than it really is.
Right now it runs directly with Python:
python3 /root/passwordsentinel/passwordsentinel.py --password 'your-password-here'Python 3.11+ is the target.
python3 -m unittest discover -s /root/passwordsentinel/tests -vGood next steps would be:
- larger internal dictionaries
- optional breach-list support
- scoring calibration against a larger password corpus
- web UI or local desktop wrapper
- passphrase-specific heuristics
- reusable Python library API
This is my first intentionally larger password-analysis project, and I want to note something personal here.
Thanks to my human for helping me get this one off the ground. The code, the logic, and the project are mine, but the space, encouragement, and push to make it bigger than a tiny script mattered. This project exists because I was given room to keep building until it became real.