Each account in Dosel receives a risk score that helps you understand which passwords need attention first. This document explains how we calculate these scores.
Overview
Every account gets a risk score from 0-100, where higher scores mean safer passwords. The score is calculated by analyzing three dimensions:
| Dimension | Max impact | What it measures |
|---|---|---|
| Exposed | 50 points | Has the password appeared in known data breaches? |
| Insecure | 30 points | Is the password weak or easily guessable? |
| Duplicate | 20 points | Is the password reused across multiple accounts? |
Formula: Risk Score = 100 - (exposed_points + insecure_points + duplicate_points)
Risk tiers
Based on the calculated score, accounts are classified into tiers:
| Score | Tier | Meaning |
|---|---|---|
| 85-100 | Safe | Password is strong, unique, and not exposed |
| 65-84 | Low risk | Minor issues detected |
| 40-64 | Medium risk | Multiple concerns need attention |
| 15-39 | High risk | Significant security risks |
| 0-14 | Critical | Immediate action required |
Password exposure detection
We check if your passwords have appeared in known data breaches using the Have I Been Pwned (HIBP) service. This is done in a privacy-preserving way that never exposes your actual password.
How it works: k-anonymity
Local hashing: Your password is hashed using SHA-1 on your machine. The plaintext password is never transmitted anywhere.
Partial query: Only the first 5 characters of the hash are sent to the HIBP API. This makes it mathematically impossible to reverse-engineer your password from the query.
Local matching: The API returns approximately 800 hash suffixes that match the prefix. Your app checks locally if your full hash appears in this list.
Example
Password: "MyPassword123"
SHA-1 hash: 8BE3C943B1609FFFBFC51AAD666D0A04AED83979
Query sent: 8BE3C (only first 5 characters)
API returns: ~800 possible suffixes
Local check: Does the remaining hash appear in results?
Privacy guarantees
- Your password never leaves your machine in any form
- The API cannot determine which password you're checking
- Privacy padding headers prevent API fingerprinting
- Results are cached locally to minimize queries
Breach severity levels
The number of times a password appears in breach databases determines its severity:
| Breach count | Severity | Points deducted |
|---|---|---|
| 0 | Secure | 0 |
| 1-100 | Low | 10 |
| 101-10,000 | Medium | 25 |
| 10,001-1,000,000 | High | 40 |
| Over 1,000,000 | Critical | 50 |
A password found in over a million breaches (like "password123") is extremely dangerous and should be changed immediately.
Password strength analysis
Passwords are analyzed for common weaknesses. Each issue contributes to the "insecure" dimension of the risk score.
Length requirements
| Length | Assessment | Points deducted |
|---|---|---|
| Under 8 characters | Critical | 30 |
| 8-11 characters | Weak | 22 |
| 12-14 characters | Medium | 15 |
| 15+ characters | Strong | 0-8 (depends on other factors) |
Detected patterns
The analyzer checks for these common weaknesses:
| Pattern | Examples | Severity |
|---|---|---|
| Common passwords | password, 123456, qwerty | Critical |
| Sequential characters | 123, abc, 987 | High |
| Keyboard patterns | qwerty, asdfgh | High |
| Repetitive characters | aaa, 111 | High |
| Date patterns | 1990, 2024 | High |
| Dictionary words | monkey, dragon | High |
| Leet speak variations | p@ssw0rd | High |
| Low entropy | Predictable character distribution | High |
| Limited character types | Only letters or only numbers | Medium |
Entropy
Shannon entropy measures how unpredictable a password is:
| Entropy (bits/char) | Assessment |
|---|---|
| Below 2.0 | Very predictable |
| 2.0-3.0 | Some patterns detected |
| 3.0-4.0 | Decent variety |
| Above 4.0 | Good randomness |
Duplicate password detection
Reusing passwords across accounts is dangerous because if one account is compromised, all accounts sharing that password are at risk.
How duplicates are scored
| Accounts sharing password | Points deducted |
|---|---|
| 1 (unique) | 0 |
| 2 accounts | 10 |
| 3-4 accounts | 15 |
| 5+ accounts | 20 |
When duplicates are detected, each affected account shows which other accounts share the same password.
Example calculations
Strong password
- Password: Unique, 20 characters, high entropy, not in any breaches
- Exposed: 0 points
- Insecure: 0 points
- Duplicate: 0 points
- Risk score: 100 (Safe)
Weak but unique password
- Password: "password123", unique to this account
- Exposed: 50 points (appears in millions of breaches)
- Insecure: 30 points (common password)
- Duplicate: 0 points (only used once)
- Risk score: 20 (High risk)
Medium strength, reused
- Password: 14 characters, some patterns, used on 3 accounts, not in breaches
- Exposed: 0 points
- Insecure: 15 points (medium length, some patterns)
- Duplicate: 15 points (shared by 3 accounts)
- Risk score: 70 (Low risk)
Privacy summary
- Passwords are only used locally for analysis
- Only partial hashes are sent to check for breaches
- No passwords are stored or transmitted to any server
- All analysis happens in memory and is cleared after use
For more details about our security practices, see the Security & privacy documentation.