zxcvbn

zxcvbn is a password strength estimator — a library you can add to a website or app to give users instant, realistic feedback on how strong their chosen password is. Instead of enforcing rigid rules like "must contain a number and a symbol," zxcvbn analyzes how hard a password would be for an attacker to guess, which is a better measure of actual security.

It does this by recognizing common patterns: 30,000 frequently used passwords, common English words, popular names, keyboard sequences like "qwerty", repeated characters, dates, and "l33t speak" substitutions (like replacing letters with numbers). For each password, it estimates how many guesses an attacker would need to crack it under different attack scenarios — for example, an online attack where attempts are limited versus an offline attack using fast hardware. The result tells you both a numeric score from 0 to 4 and a rough estimate of crack time, plus brief human-readable suggestions to help users pick better passwords.

The library is built with CoffeeScript (a language that compiles to JavaScript) and was created at Dropbox, which uses it in its own products. It works in web browsers and on servers, and community-contributed ports exist for many other programming languages. You call it with a single function, passing in the password string and optionally a list of user-specific terms (like the user's name or email) that should count as weak. The full README is longer than what was provided.