_________________________________________________/\/\___________________
_/\/\/\/\/\__/\/\__/\/\____/\/\/\/\__/\/\__/\/\__/\/\________/\/\/\/\___
_____/\/\______/\/\/\____/\/\________/\/\__/\/\__/\/\/\/\____/\/\__/\/\_
___/\/\________/\/\/\____/\/\__________/\/\/\____/\/\__/\/\__/\/\__/\/\_
_/\/\/\/\/\__/\/\__/\/\____/\/\/\/\______/\______/\/\/\/\____/\/\__/\/\_
________________________________________________________________________
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.
zxcvbn
aaa
abcd
qwertyuiop
[email protected]
- More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle. More usable: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords. For further detail and motivation, please refer to the USENIX Security '16 paper and presentation. At Dropbox we use zxcvbn (Release notes) on our web, desktop, iOS and Android clients. If JavaScript doesn't work for you, others have graciously ported the library to these languages: zxcvbn-python (Python)
- zxcvbn-cpp (C/C++/Python/JS)
- xcvbn-c (C/C+)
- zxcvbn-rs (Rust)
- zxcvbn-go (Go)
- nbvcxz (Java)
- zxcvbn-ruby (Ruby)
- zxcvbn-js (Ruby [via ExecJS])
- zxcvbn-ios (Objective-C)
- xcvbn-cs (C35;/.NET)
- xcvbn-php (PHP)
- zxcvbn-api (REST)
- ocaml-zxcvbn (OCaml bindings for zxcvbn-c)
- --debug adds an inline source map to the bundle. exorcist pulls it out into dist/zxcvbn.js.map.
- --standalone zxcvbn exports a global zxcvbn when CommonJS/AMD isn't detected.
- -t coffeeify --extension='.coffee' compiles .coffee to .js before bundling. This is convenient as it allows .js modules to import from .coffee modules and vice-versa. Instead of this transform, one could also compile everything to .js first (npm run prepublish) and point browserify to lib instead of src.
- -t uglifyify minifies the bundle through UglifyJS, maintaining proper source mapping.
- Make sure your server is configured to compress static assets for browsers that support it. (nginx tutorial, Apache/IIS tutorial.) Then try one of these alternatives: Put your <script src="zxcvbn.js"> tag at the end of your html, just before the closing </body> tag. This ensures your page loads and renders before the browser fetches and loads zxcvbn.js. The downside with this approach is zxcvbn() becomes available later than had it been included in <head> — not an issue on most signup pages where users are filling out other fields first. Put your <script src="zxcvbn.js"> tag at the end of your html, just before the closing </body> tag. This ensures your page loads and renders before the browser fetches and loads zxcvbn.js. The downside with this approach is zxcvbn() becomes available later than had it been included in <head> — not an issue on most signup pages where users are filling out other fields first.
- Use the HTML5 async script attribute. Downside: doesn't work in IE7-9 or Opera Mini. Use the HTML5 async script attribute. Downside: doesn't work in IE7-9 or Opera Mini.
zxcvbn-python
zxcvbn-cpp
zxcvbn-c
zxcvbn-rs
zxcvbn-go
zxcvbn4j
nbvcxz
zxcvbn-ruby
zxcvbn-js
zxcvbn-ios
zxcvbn-cs
szxcvbn
zxcvbn-php
zxcvbn-api
ocaml-zxcvbn
zxcvbn-c
Integrations with other frameworks: angular-zxcvbn (AngularJS)
angular-zxcvbn
zxcvbn detects and supports CommonJS (node, browserify) and AMD (RequireJS). In the absence of those, it adds a single function zxcvbn() to the global namespace.
zxcvbn()
node
bower
Get zxcvbn:
zxcvbn
Add this script to your index.html:
index.html
To make sure it loaded properly, open in a browser and type zxcvbn('Tr0ub4dour&3') into the console.
zxcvbn('Tr0ub4dour&3')
To pull in updates and bug fixes: Node / npm / MeteorJS zxcvbn works identically on the server. RequireJS Add zxcvbn.js to your project (using bower, npm or direct download) and import as usual:
zxcvbn.js
npm
require('zxcvbn')
But we recommend against bundling zxcvbn via tools like browserify and webpack, for three reasons: Minified and gzipped, zxcvbn is still several hundred kilobytes. (Significantly grows bundle size.) Most sites will only need zxcvbn on a few pages (registration, password reset). Most sites won't need zxcvbn() immediately upon page load; since zxcvbn() is typically called in response to user events like filling in a password, there's ample time to fetch zxcvbn.js after initial html/css/js loads and renders.
zxcvbn()
zxcvbn()
zxcvbn.js
dist/zxcvbn.js
--debug
exorcist
dist/zxcvbn.js.map
--standalone zxcvbn
zxcvbn
-t coffeeify --extension='.coffee'
.coffee
.js
.js
.coffee
.js
npm run prepublish
browserify
lib
src
-t uglifyify
Manual installation Download zxcvbn.js. Add to your .html: try zxcvbn interactively to see these docs in action. zxcvbn() takes one required argument, a password, and returns a result object with several properties:
zxcvbn()
The optional user_inputs argument is an array of strings that zxcvbn will treat as an extra dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes a user's personal information can be heavily penalized. This list is also good for site-specific vocabulary — Acme Brick Co. might want to include ['acme', 'brick', 'acmebrick', etc].
user_inputs
runtime latency zxcvbn operates below human perception of delay for most input: ~5-20ms for ~25 char passwords on modern browsers/CPUs, ~100ms for passwords around 100 characters. To bound runtime latency for really long passwords, consider sending zxcvbn() only the first 100 characters or so of user input.
zxcvbn()
script load latency zxcvbn.js bundled and minified is about 400kB gzipped or 820kB uncompressed, most of which is dictionaries. Consider these tips if you're noticing page load latency on your site.
zxcvbn.js
<script src="zxcvbn.js">
</body>
zxcvbn.js
zxcvbn()
<head>
zxcvbn.js
zxcvbn.js
requirejs()
async
<script>
<head>
zxcvbn.js
Bug reports and pull requests welcome! zxcvbn is built with CoffeeScript, browserify, and uglify-js. CoffeeScript source lives in src, which gets compiled, bundled and minified into dist/zxcvbn.js.
src
dist/zxcvbn.js
build
watch
dist/zxcvbn.js.map
Two source files, adjacency_graphs.coffee and frequency_lists.coffee, are generated by python scripts in data-scripts that read raw data from the data directory.
adjacency_graphs.coffee
frequency_lists.coffee
data-scripts
data
For node developers, in addition to dist, the zxcvbn npm module includes a lib directory (hidden from git) that includes one compiled .js and .js.map file for every .coffee in src. See prepublish in package.json to learn more.
dist
npm
lib
.js
.js.map
.coffee
src
prepublish
package.json