Password Strength

As you type a new password, we estimate its strength using algorithms similar to those used by password crackers, using open source zxcvbn library. Your password is tested locally and is neither stored nor transmitted outside of this site.

Note: If your site is using single-sign on, we never receive your password and consequently have no control over the quality of your password. This page refers only to passwords managed directly by this platform.

From zxcvbn documentation:

Through pattern matching and conservative estimation, it recognizes and weighs 30,000 common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

More secure:
policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
More flexible:
zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle.
More usable:
zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords.

Note that this is only an estimation based on the general population. For example, though Alyesha is a very uncommon name, if that's your spouse's name, it is vastly more likely to be cracked for you than it would be for me.

Details and motivation for this estimation tool is described in USENIX Security '16 paper and presentation .

Thank you Dropbox, for supporting open source.

See also:


Was this information helpful?
Suggestions for improvement?

Still need help?