Know if a password
is actually secure.
Bastion analyses passwords and returns strength scores, crack time estimates, entropy, and real breach data. Without ever storing, logging, or exposing the raw password.
What you get back
0–4 score and human-readable label (Very Weak → Very Strong) using the zxcvbn algorithm.
Estimated crack times across four attack scenarios. Throttled/Unthrottled online and fast/slow offline.
Checks the HaveIBeenPwned database via k-anonymity. Only a partial hash is ever sent.
Warnings and suggestions grounded in how passwords actually get cracked. Not just "add a symbol".
Response shape
Everything you need,
nothing you don't.
A single POST to /v1/evaluate returns a complete picture of a password's security. Breach checking is optional. Use ?hibp=false to skip it.
Available now on RapidAPI. Native keys available directly (free tier includes 100 requests per day).
Security practices
- Raw passwords are never stored, logged, or transmitted to any third party
- Breach checks use k-anonymity. Only the first 5 characters of a SHA-1 hash are sent to HaveIBeenPwned
- Passwords are zeroed from memory immediately after processing
- Email addresses are hashed before storage and used only for key regeneration
- API keys and regeneration tokens are hashed before storage
- IP addresses used for demo rate limiting are hashed and are deleted after 24 hours