Understanding zxcvbn Password Scoring
Learn how zxcvbn, the open-source password strength estimator by Dropbox, scores passwords from 0 to 4. Understand its pattern-matching approach and why it outperforms naive entropy calculations.
Detailed Explanation
What Is zxcvbn?
zxcvbn is an open-source password strength estimator developed by Dropbox. Unlike traditional strength meters that simply check for character class presence (uppercase, digit, symbol), zxcvbn uses pattern matching and frequency analysis to estimate how quickly an attacker could crack a given password.
The 0–4 Score Scale
zxcvbn assigns a score from 0 to 4:
| Score | Label | Estimated Crack Time | Meaning |
|---|---|---|---|
| 0 | Too guessable | < 10^3 guesses | Trivially crackable |
| 1 | Very guessable | < 10^6 guesses | Online attack viable |
| 2 | Somewhat guessable | < 10^8 guesses | Offline attack with common hardware |
| 3 | Safely unguessable | < 10^10 guesses | Resistant to offline attack |
| 4 | Very unguessable | >= 10^10 guesses | Strong against all current attacks |
Pattern Matching Engine
zxcvbn decomposes a password into a sequence of patterns, then finds the decomposition that minimizes the total number of guesses. Patterns include:
- Dictionary words: matches against multiple dictionaries (English, names, surnames, Wikipedia, TV/movies, passwords)
- Reversed words: "drowssap" is recognized as "password" reversed
- l33t substitutions: "p@55w0rd" is matched as a variant of "password"
- Sequences: "abcdef", "13579", keyboard walks like "qwerty"
- Repeats: "aaa", "abcabc"
- Dates: "19851225", "12/25/85"
- Spatial patterns: keyboard adjacency like "zxcvbn" itself
Why zxcvbn Outperforms Simple Meters
A simple entropy-based meter would rate Tr0ub4dor&3 as strong — it has 11 characters, mixed case, digits, and a symbol. But zxcvbn recognizes:
- "troubador" is a dictionary word
- "o" → "0" and "a" → "4" are common l33t substitutions
- "&" and "3" are common suffix patterns
Result: zxcvbn scores it as 1 (very guessable), estimating only ~30,000 guesses needed.
Conversely, a random 4-word passphrase like "correct horse battery staple" gets a score of 3 or 4 because no single pattern reduces the search space significantly.
Integrating zxcvbn in Applications
import zxcvbn from "zxcvbn";
const result = zxcvbn("P@ssw0rd!");
console.log(result.score); // 0-4
console.log(result.crack_times_display); // human-readable estimates
console.log(result.feedback.suggestions); // improvement tips
The library also returns specific feedback — actionable suggestions like "Add another word or two" or "Avoid common passwords" — making it ideal for real-time password creation interfaces.
Limitations
- The dictionaries are English-centric; non-English common passwords may not be detected
- zxcvbn does not check breach databases (combine with Have I Been Pwned for full coverage)
- The library adds ~400KB to a JavaScript bundle (consider lazy-loading)
Use Case
zxcvbn is the industry standard for client-side password strength estimation, used by Dropbox, WordPress, and many other services. Developers integrate it into sign-up flows for real-time feedback, security teams use its scoring to set minimum password requirements, and analysts reference its pattern-matching approach when evaluating authentication security.