← All open source projects

zxcvbn

dropbox/zxcvbn

zxcvbn is a password-strength estimator inspired by password-cracking techniques.

GitHub · 15,995 stars Project website
Forks 998
Author dropbox
Language CoffeeScript
License MIT
Synced 2026-06-27

What It Is

zxcvbn is Dropbox’s password-strength estimation library. It is inspired by how attackers guess passwords, not by how many uppercase letters or symbols a string contains.

The project offers an alternative to annoying rules such as “must contain three character types.” A site can require a minimum score and give more understandable feedback.

What Is Inside

zxcvbn recognizes common passwords, names, surnames, popular English words, dates, repeats, sequences, keyboard patterns, and leet spelling.

The result includes a score and estimated cracking scenarios: rate-limited online attack, unrestricted online attack, and offline attack. That explains risk better than a single rule.

How People Use It

The library is connected to registration or password-change forms. As a user types, the interface shows whether the password is strong enough and which parts look predictable.

It should be treated as guidance, not the only defense. Server-side password storage, hashing, rate limiting, and multi-factor protection remain required.

Example

The example shows a basic JavaScript check: the password receives a score, and the app decides whether to continue.

Password Score

The example shows how to get a numeric score and use it in a registration form.

Language: JavaScript 
import zxcvbn from "zxcvbn";

const result = zxcvbn(password);
if (result.score < 3) {
  showWarning(result.feedback.warning || "Choose a stronger password");
}

Strengths And Limits

zxcvbn’s strength is realism. It detects weak “complex” passwords with symbol substitutions better than a simple character-composition check.

The limitation is size and context. Dictionaries and heuristics do not know every local user habit, so the library should complement a broader security model.

Project Context

zxcvbn is maintained in the dropbox/zxcvbn repository; its public project history starts on 2012-02-28. GitHub reports the primary language as CoffeeScript, and the license as MIT. The project also has a dedicated site: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler.

For a catalog page, this context matters because the reader sees a real project with an owner, license, technical base, and public change history rather than an abstract name.