{"id":2369,"library":"zxcvbn","title":"zxcvbn","description":"zxcvbn is a Python implementation of Dropbox's realistic password strength estimator. It evaluates password strength based on pattern matching and conservative entropy calculations, providing a score (0-4), verbal feedback, and crack time estimates. The library is currently at version 4.5.0 and is actively maintained, though releases occur on an irregular cadence, typically spanning months to a year between major updates.","status":"active","version":"4.5.0","language":"en","source_language":"en","source_url":"https://github.com/dwolfhub/zxcvbn-python","tags":["security","password-strength","validation","cryptography"],"install":[{"cmd":"pip install zxcvbn","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"The library is tested with Python versions 3.8-3.13.","package":"python","optional":false}],"imports":[{"note":"The PyPI package `zxcvbn-python` was deprecated; the current, maintained package is simply `zxcvbn`.","wrong":"from zxcvbn_python import zxcvbn","symbol":"zxcvbn","correct":"from zxcvbn import zxcvbn"}],"quickstart":{"code":"from zxcvbn import zxcvbn\n\n# Basic password strength check\nresults = zxcvbn('password123')\nprint(f\"Password: {results['password']}\")\nprint(f\"Score: {results['score']} (0=terrible, 4=great)\")\nprint(f\"Crack time display: {results['crack_times_display']['offline_fast_hashing_1e10_per_second']}\")\nif results['feedback'] and results['feedback']['suggestions']:\n    print(\"Suggestions:\")\n    for suggestion in results['feedback']['suggestions']:\n        print(f\"- {suggestion}\")\n\n# With user-provided inputs (e.g., username, name) to penalize matching patterns\nuser_inputs = ['John', 'Smith', 'jsmith']\nresults_with_user_input = zxcvbn('JohnSmith123', user_inputs=user_inputs)\nprint(f\"\\nPassword (with user inputs): {results_with_user_input['password']}\")\nprint(f\"Score: {results_with_user_input['score']}\")\nif results_with_user_input['feedback'] and results_with_user_input['feedback']['warning']:\n    print(f\"Warning: {results_with_user_input['feedback']['warning']}\")","lang":"python","description":"This quickstart demonstrates how to import and use the `zxcvbn` function to evaluate password strength. It shows a basic check and an example of providing `user_inputs` to improve the accuracy of the strength calculation by penalizing common user-related patterns in the password. The output includes a score, crack time estimates, and feedback."},"warnings":[{"fix":"Update your `requirements.txt` to `zxcvbn` and import statements to `from zxcvbn import zxcvbn`.","message":"The official PyPI package name changed from `zxcvbn-python` to `zxcvbn`. Additionally, the original `dropbox/python-zxcvbn` GitHub repository is deprecated. Users should migrate to `pip install zxcvbn` and `from zxcvbn import zxcvbn` for the actively maintained version.","severity":"breaking","affected_versions":"< 4.4.25 (for `zxcvbn-python` PyPI), all (for `dropbox/python-zxcvbn` GitHub)"},{"fix":"Upgrade your Python environment to Python 3.8 or newer to use the latest `zxcvbn`.","message":"Older versions of `zxcvbn-python` supported Python 2.6-2.7. The current `zxcvbn` library (dwolfhub's fork) explicitly supports Python 3.8-3.13. Python 2 environments will not be compatible with the latest versions.","severity":"breaking","affected_versions":"All versions from 4.4.25 onwards"},{"fix":"Implement client-side or server-side truncation/validation for extremely long passwords before passing them to `zxcvbn`, or limit the `max_length` parameter if custom implementations allow it.","message":"Setting `max_length` for password inputs beyond approximately 72 characters can lead to significantly longer processing times. This may expose server-side applications to potential denial-of-service (DoS) scenarios due to the computational intensity of the algorithm. It is strongly advised against.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure that the first call to `zxcvbn()` or any dictionary-loading mechanism occurs in a single-threaded context, or implement explicit locking around initialization if using the library in a multi-threaded environment.","message":"The lazy loading of ranked dictionaries within `zxcvbn` is not thread-safe. This can lead to race conditions or unexpected behavior in multi-threaded applications if multiple threads attempt to access or initialize these dictionaries concurrently.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}