zxcvbn Password Strength API (with HIBP Breach Checks)
zxcvbn is the password strength estimator Dropbox open-sourced — far smarter than "8 characters and a symbol" rules. But bundling it (and keeping breach checks safe) is work you can skip.
One POST returns the zxcvbn score, realistic crack-time estimates, and human-readable feedback. A second endpoint checks the password against Have I Been Pwned using k-anonymity, so the password never leaves your request.
Score a password with zxcvbn
curl -X POST "https://password-strength2.p.rapidapi.com/check" \
-H "X-RapidAPI-Key: YOUR_KEY" \
-H "X-RapidAPI-Host: password-strength2.p.rapidapi.com" \
-H "Content-Type: application/json" \
-d '{"password":"P@ssw0rd123"}'{
"score": 1,
"guesses": 15000,
"crackTimesDisplay": {
"online_no_throttling_10_per_second": "25 minutes",
"offline_fast_hashing_1e10_per_second": "less than a second"
},
"feedback": {
"warning": "This is similar to a commonly used password",
"suggestions": ["Add another word or two. Uncommon words are better."]
}
}Check for breaches without exposing the password
POST /pwned checks the password against the Have I Been Pwned corpus using the k-anonymity range protocol: only the first five characters of the SHA-1 hash are ever sent upstream, so neither we nor HIBP see the password. You get back whether it appeared in known breaches and how many times.
curl -X POST "https://password-strength2.p.rapidapi.com/pwned" \
-H "X-RapidAPI-Key: YOUR_KEY" \
-H "X-RapidAPI-Host: password-strength2.p.rapidapi.com" \
-H "Content-Type: application/json" \
-d '{"password":"P@ssw0rd123"}'Generate passwords and enforce a policy
POST /generate returns strong random passwords with configurable length and character classes, and POST /policy validates a password against rules (minimum length, required classes, minimum zxcvbn score) in one call — useful for signup forms and admin password resets.
Why an API instead of bundling the library
zxcvbn's dictionaries add roughly 800 KB to a front-end bundle, and NIST 800-63B recommends checking passwords against known-breach corpora — which you cannot do client-side. One backend call gets you both, and nothing is logged or stored.
Run it in production
Password Strength has a permanent free tier — 1,000 requests a month, no credit card. Paid plans start at $5/month for 100,000 requests.
FAQ
Is the password stored or logged anywhere?
No. Scoring runs in-memory and the breach check uses k-anonymity (only a 5-character hash prefix leaves the server). Nothing is persisted.
What score should I require?
zxcvbn scores 0-4. Requiring 3+ for regular accounts and 4 for admin accounts is a common policy; combine it with a breach check per NIST 800-63B.
Is this the same algorithm as Dropbox's zxcvbn?
Yes — the same estimator, exposed as a stateless HTTP endpoint with crack-time estimates and feedback text.