zxcvbn

4.5.0 · active · verified Thu Apr 09

zxcvbn is a Python implementation of Dropbox's realistic password strength estimator. It evaluates password strength based on pattern matching and conservative entropy calculations, providing a score (0-4), verbal feedback, and crack time estimates. The library is currently at version 4.5.0 and is actively maintained, though releases occur on an irregular cadence, typically spanning months to a year between major updates.

Warnings

breaking The official PyPI package name changed from `zxcvbn-python` to `zxcvbn`. Additionally, the original `dropbox/python-zxcvbn` GitHub repository is deprecated. Users should migrate to `pip install zxcvbn` and `from zxcvbn import zxcvbn` for the actively maintained version.
Fix: Update your `requirements.txt` to `zxcvbn` and import statements to `from zxcvbn import zxcvbn`.
breaking Older versions of `zxcvbn-python` supported Python 2.6-2.7. The current `zxcvbn` library (dwolfhub's fork) explicitly supports Python 3.8-3.13. Python 2 environments will not be compatible with the latest versions.
Fix: Upgrade your Python environment to Python 3.8 or newer to use the latest `zxcvbn`.
gotcha Setting `max_length` for password inputs beyond approximately 72 characters can lead to significantly longer processing times. This may expose server-side applications to potential denial-of-service (DoS) scenarios due to the computational intensity of the algorithm. It is strongly advised against.
Fix: Implement client-side or server-side truncation/validation for extremely long passwords before passing them to `zxcvbn`, or limit the `max_length` parameter if custom implementations allow it.
gotcha The lazy loading of ranked dictionaries within `zxcvbn` is not thread-safe. This can lead to race conditions or unexpected behavior in multi-threaded applications if multiple threads attempt to access or initialize these dictionaries concurrently.
Fix: Ensure that the first call to `zxcvbn()` or any dictionary-loading mechanism occurs in a single-threaded context, or implement explicit locking around initialization if using the library in a multi-threaded environment.

Install

pip install zxcvbn Install latest version

Imports

zxcvbn
```
from zxcvbn import zxcvbn
```
The PyPI package `zxcvbn-python` was deprecated; the current, maintained package is simply `zxcvbn`.

Quickstart

This quickstart demonstrates how to import and use the `zxcvbn` function to evaluate password strength. It shows a basic check and an example of providing `user_inputs` to improve the accuracy of the strength calculation by penalizing common user-related patterns in the password. The output includes a score, crack time estimates, and feedback.

from zxcvbn import zxcvbn

# Basic password strength check
results = zxcvbn('password123')
print(f"Password: {results['password']}")
print(f"Score: {results['score']} (0=terrible, 4=great)")
print(f"Crack time display: {results['crack_times_display']['offline_fast_hashing_1e10_per_second']}")
if results['feedback'] and results['feedback']['suggestions']:
    print("Suggestions:")
    for suggestion in results['feedback']['suggestions']:
        print(f"- {suggestion}")

# With user-provided inputs (e.g., username, name) to penalize matching patterns
user_inputs = ['John', 'Smith', 'jsmith']
results_with_user_input = zxcvbn('JohnSmith123', user_inputs=user_inputs)
print(f"\nPassword (with user inputs): {results_with_user_input['password']}")
print(f"Score: {results_with_user_input['score']}")
if results_with_user_input['feedback'] and results_with_user_input['feedback']['warning']:
    print(f"Warning: {results_with_user_input['feedback']['warning']}")

view raw JSON →