HomeGuides › zxcvbn Password Strength API (with HIBP Breach Checks)

zxcvbn Password Strength API (with HIBP Breach Checks)

zxcvbn is the password strength estimator Dropbox open-sourced — far smarter than "8 characters and a symbol" rules. But bundling it (and keeping breach checks safe) is work you can skip.

One POST returns the zxcvbn score, realistic crack-time estimates, and human-readable feedback. A second endpoint checks the password against Have I Been Pwned using k-anonymity, so the password never leaves your request.

Score a password with zxcvbn

curl
curl -X POST "https://password-strength2.p.rapidapi.com/check" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: password-strength2.p.rapidapi.com" \
  -H "Content-Type: application/json" \
  -d '{"password":"P@ssw0rd123"}'
Response (abridged)
{
  "score": 1,
  "guesses": 15000,
  "crackTimesDisplay": {
    "online_no_throttling_10_per_second": "25 minutes",
    "offline_fast_hashing_1e10_per_second": "less than a second"
  },
  "feedback": {
    "warning": "This is similar to a commonly used password",
    "suggestions": ["Add another word or two. Uncommon words are better."]
  }
}

Check for breaches without exposing the password

POST /pwned checks the password against the Have I Been Pwned corpus using the k-anonymity range protocol: only the first five characters of the SHA-1 hash are ever sent upstream, so neither we nor HIBP see the password. You get back whether it appeared in known breaches and how many times.

curl
curl -X POST "https://password-strength2.p.rapidapi.com/pwned" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: password-strength2.p.rapidapi.com" \
  -H "Content-Type: application/json" \
  -d '{"password":"P@ssw0rd123"}'

Generate passwords and enforce a policy

POST /generate returns strong random passwords with configurable length and character classes, and POST /policy validates a password against rules (minimum length, required classes, minimum zxcvbn score) in one call — useful for signup forms and admin password resets.

Why an API instead of bundling the library

zxcvbn's dictionaries add roughly 800 KB to a front-end bundle, and NIST 800-63B recommends checking passwords against known-breach corpora — which you cannot do client-side. One backend call gets you both, and nothing is logged or stored.

Run it in production

Password Strength has a permanent free tier — 1,000 requests a month, no credit card. Paid plans start at $5/month for 100,000 requests.

Get a free API key on RapidAPI ↗

Full endpoint reference →

FAQ

Is the password stored or logged anywhere?

No. Scoring runs in-memory and the breach check uses k-anonymity (only a 5-character hash prefix leaves the server). Nothing is persisted.

What score should I require?

zxcvbn scores 0-4. Requiring 3+ for regular accounts and 4 for admin accounts is a common policy; combine it with a breach check per NIST 800-63B.

Is this the same algorithm as Dropbox's zxcvbn?

Yes — the same estimator, exposed as a stateless HTTP endpoint with crack-time estimates and feedback text.