explaingit

dropbox/zxcvbn

15,958CoffeeScriptAudience · developerComplexity · 2/5Setup · easy

TLDR

zxcvbn is a JavaScript library that estimates how hard a password is to crack by recognizing real attack patterns like common words, keyboard sequences, and dates, giving users a realistic 0-to-4 strength score.

Mindmap

mindmap
  root((zxcvbn))
    What it does
      Pattern recognition
      Crack time estimate
      Score 0 to 4
    Attack patterns detected
      Common passwords
      Keyboard sequences
      Dictionary words
      Dates and l33t speak
    Integration
      Browser JS
      Node.js server
      Community ports
    Use cases
      Signup forms
      Password policies
      Security audits
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Add realistic password strength feedback to a signup form so users understand why their chosen password is weak.

USE CASE 2

Display estimated crack time alongside a strength meter so users see the real-world impact of their password choice.

USE CASE 3

Pass a user's name and email to zxcvbn as user inputs so personal details that weaken passwords are flagged.

Tech stack

CoffeeScriptJavaScript

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

zxcvbn is a password strength estimator, a library you can add to a website or app to give users instant, realistic feedback on how strong their chosen password is. Instead of enforcing rigid rules like "must contain a number and a symbol," zxcvbn analyzes how hard a password would be for an attacker to guess, which is a better measure of actual security. It does this by recognizing common patterns: 30,000 frequently used passwords, common English words, popular names, keyboard sequences like "qwerty", repeated characters, dates, and "l33t speak" substitutions (like replacing letters with numbers). For each password, it estimates how many guesses an attacker would need to crack it under different attack scenarios, for example, an online attack where attempts are limited versus an offline attack using fast hardware. The result tells you both a numeric score from 0 to 4 and a rough estimate of crack time, plus brief human-readable suggestions to help users pick better passwords. The library is built with CoffeeScript (a language that compiles to JavaScript) and was created at Dropbox, which uses it in its own products. It works in web browsers and on servers, and community-contributed ports exist for many other programming languages. You call it with a single function, passing in the password string and optionally a list of user-specific terms (like the user's name or email) that should count as weak. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1
Add a zxcvbn password strength meter to my React signup form that shows a color-coded bar and the estimated crack time as the user types.
Prompt 2
I want to block passwords with a zxcvbn score below 2 on my Node.js registration endpoint. Show me the server-side validation code.
Prompt 3
Display the zxcvbn feedback suggestions below my password field in plain English so users know exactly how to improve their password.
Prompt 4
I need to test zxcvbn with my own wordlist of company-specific weak passwords. How do I extend the default dictionary?
Prompt 5
Help me integrate zxcvbn into a vanilla HTML form with no framework, show me the CDN include and the event listener that updates a score indicator.
Open on GitHub → Explain another repo

← dropbox on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.