whatisgithub

What is zxcvbn?

dropbox/zxcvbn — explained in plain English

Analysis updated 2026-06-24

15,958CoffeeScriptAudience · developerComplexity · 2/5Setup · easy

In one sentence

zxcvbn is a JavaScript library that estimates how hard a password is to crack by recognizing real attack patterns like common words, keyboard sequences, and dates, giving users a realistic 0-to-4 strength score.

Mindmap

mindmap
  root((zxcvbn))
    What it does
      Pattern recognition
      Crack time estimate
      Score 0 to 4
    Attack patterns detected
      Common passwords
      Keyboard sequences
      Dictionary words
      Dates and l33t speak
    Integration
      Browser JS
      Node.js server
      Community ports
    Use cases
      Signup forms
      Password policies
      Security audits
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Add realistic password strength feedback to a signup form so users understand why their chosen password is weak.

USE CASE 2

Display estimated crack time alongside a strength meter so users see the real-world impact of their password choice.

USE CASE 3

Pass a user's name and email to zxcvbn as user inputs so personal details that weaken passwords are flagged.

What is it built with?

CoffeeScriptJavaScript

How does it compare?

dropbox/zxcvbnjashkenas/coffeescriptmojs/mojs
Stars15,95816,57718,701
LanguageCoffeeScriptCoffeeScriptCoffeeScript
Setup difficultyeasyeasyeasy
Complexity2/52/52/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

So what is it?

zxcvbn is a password strength estimator, a library you can add to a website or app to give users instant, realistic feedback on how strong their chosen password is. Instead of enforcing rigid rules like "must contain a number and a symbol," zxcvbn analyzes how hard a password would be for an attacker to guess, which is a better measure of actual security. It does this by recognizing common patterns: 30,000 frequently used passwords, common English words, popular names, keyboard sequences like "qwerty", repeated characters, dates, and "l33t speak" substitutions (like replacing letters with numbers). For each password, it estimates how many guesses an attacker would need to crack it under different attack scenarios, for example, an online attack where attempts are limited versus an offline attack using fast hardware. The result tells you both a numeric score from 0 to 4 and a rough estimate of crack time, plus brief human-readable suggestions to help users pick better passwords. The library is built with CoffeeScript (a language that compiles to JavaScript) and was created at Dropbox, which uses it in its own products. It works in web browsers and on servers, and community-contributed ports exist for many other programming languages. You call it with a single function, passing in the password string and optionally a list of user-specific terms (like the user's name or email) that should count as weak. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1
Add a zxcvbn password strength meter to my React signup form that shows a color-coded bar and the estimated crack time as the user types.
Prompt 2
I want to block passwords with a zxcvbn score below 2 on my Node.js registration endpoint. Show me the server-side validation code.
Prompt 3
Display the zxcvbn feedback suggestions below my password field in plain English so users know exactly how to improve their password.
Prompt 4
I need to test zxcvbn with my own wordlist of company-specific weak passwords. How do I extend the default dictionary?
Prompt 5
Help me integrate zxcvbn into a vanilla HTML form with no framework, show me the CDN include and the event listener that updates a score indicator.

Frequently asked questions

What is zxcvbn?

zxcvbn is a JavaScript library that estimates how hard a password is to crack by recognizing real attack patterns like common words, keyboard sequences, and dates, giving users a realistic 0-to-4 strength score.

What language is zxcvbn written in?

Mainly CoffeeScript. The stack also includes CoffeeScript, JavaScript.

How hard is zxcvbn to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is zxcvbn for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.