Introduction

zxcvbn is a password strength estimator inspired by password crackers. It recognizes and analyzes over 40 thousand common passwords using pattern matching and conservative estimation and filters out common first names, last names, popular words from Wikipedia and common words in many cultures, and recognizes common patterns like dates, repetitions (e.g. 'aaa'), sequences (e.g. 'abcd'), keyboard smashes (e.g. 'qwertyuiop'), and l33t speak.

Consider using zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and convenient in websites that require a minimal complexity score.

  • More secure: policies often fail, allowing weak passwords (P@ssword1) and blocking strong passwords.
  • More flexible: zxcvbn allows many password styles to flourish as long as sufficient complexity is provided, i.e. passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of repetitions, and capitalization adds more complexity when it's unpredictaBle.
  • More convenient: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. Additionally, zxcvbn includes minimal, targeted, verbose feedback that can help guide users towards more complex passwords. For more details, please refer to the USENIX Security '16 paper and presentationopen in new window.

This is a complete rewrite of zxcvbnopen in new window in TypeScript which is licensed under the MITopen in new window license. Thanks to the original creators dropboxopen in new window for their great work.

Other implementation

Performance

zxcvbn operates below human perception of delay for most input: ~5-20ms for ~25 character passwords on modern browsers/CPUs, ~100ms for passwords around 100 characters. To curb runtime latency for really long passwords, consider sending zxcvbn() only the first 100 characters or so of user input. For security reasons a limit was implemented for 256 characters by default but can be customized it with maxLength.