🔐

Password Strength Analyzer

Analyze password strength with scoring, crack time estimates, and improvement suggestions.

POST 1 credit /v1/auth/password-strength

curl -X POST "https://auth.toolkitapi.io/v1/auth/password-strength" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "correct-horse-battery-staple"
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/password-strength",
    json={
    "password": "correct-horse-battery-staple"
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/password-strength", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "password": "correct-horse-battery-staple"
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "score": 3,
  "crack_time_display": "centuries",
  "feedback": {
    "warnings": [],
    "suggestions": ["Add another word or two. Uncommon words are better."]
  },
  "entropy_bits": 45.57
}

Try It Live

Description

Analyze password strength with scoring, crack time estimates, and improvement suggestions.

How to Use

1

1. Set the `password` field to the password you want to analyze.

2

2. Send a POST request. No other parameters are needed.

3

3. Check the `score` (0–4) and display the `crack_time_display` and `feedback` to your users.

About This Tool

The Password Strength Analyzer uses the zxcvbn algorithm (developed by Dropbox) to evaluate password strength realistically. Unlike naive checkers that only count character types, zxcvbn recognizes common patterns — dictionary words, keyboard sequences, dates, l33t substitutions, and repeated characters — to estimate actual resistance to cracking.

The endpoint returns a score from 0 (extremely weak) to 4 (very strong), an estimated crack time assuming offline attack scenarios, entropy in bits, and actionable feedback with specific warnings and suggestions for improvement.

This is designed for real-time password validation during registration or password change flows, giving users meaningful guidance instead of arbitrary rules like "must contain a special character."

Why Use This Tool

Registration forms — Provide real-time strength feedback during sign-up
Password change flows — Ensure new passwords meet minimum strength requirements
Policy enforcement — Reject passwords below a minimum score threshold
Security audits — Assess the strength of existing passwords
Password meters — Power visual strength indicators in your UI

Frequently Asked Questions

What do the score values mean?

0 = extremely weak (trivially guessable), 1 = weak, 2 = fair (somewhat guessable), 3 = strong (safely unguessable for most purposes), 4 = very strong. Most applications should require a minimum score of 3.

How is crack time estimated?

The crack time assumes an offline slow hashing scenario at 10,000 attempts per second (e.g., bcrypt). This is a conservative estimate — actual crack times depend on the hashing algorithm and attacker hardware.

Does zxcvbn detect dictionary words?

Yes. It checks against common password lists, English words, names, common patterns, keyboard sequences, and l33t speak substitutions. "P@ssw0rd" scores poorly despite meeting traditional complexity rules.

Should I use this instead of complexity rules?

Yes. NIST SP 800-63B recommends strength estimation over arbitrary complexity rules. zxcvbn provides more meaningful security assessment than requiring uppercase + lowercase + digit + symbol.

Start using Password Strength Analyzer now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs