Type a password to see a zxcvbn strength score (0–4), estimated crack times under different threat models, and actionable feedback. Optional context words (name, pet, site) help penalize predictable choices. Analysis runs in your tab after the library loads — nothing is uploaded to DroidXP, same local-only model as our APK Analyzer and APK String Extractor.
zxcvbn uses these as extra dictionary sources so passwords containing them score lower. Keep this field empty if you prefer not to type personal hints.
{}
Copy redacts the password field in the JSON.
It runs the zxcvbn password-strength estimator in your browser (loaded from jsDelivr). You get a score from 0 (weak) to 4 (strong), human-readable crack-time estimates for a few attacker models, and feedback such as dictionary matches, sequences, spatial patterns, and repeats. You can optionally pass user-specific strings (for example fragments of your name or email) so passwords containing them are scored more harshly.
Displayed times assume specific guessing rates (for example “offline” with a slow hash vs “online” with throttling). Real sites use different hashing, salts, MFA, and lockouts — treat outputs as comparative guidance, not a security audit.
Your password and context words stay in the page memory. DroidXP servers do not receive them. The only network request is loading the zxcvbn script bundle from the CDN the first time (then cached by the browser).
No. Analysis runs locally after zxcvbn loads. Your password is not sent to DroidXP for this tool.
zxcvbn is an open-source password strength estimator developed at Dropbox. It scores passwords using pattern matching, dictionaries, and spatial sequences rather than only character-class rules.
0–1 are very guessable (common patterns or short secrets). 2 is moderate. 3–4 indicate much stronger resistance to offline guessing in the model — aim for 3+ for important accounts, combined with a unique password per site.
The library is a few hundred kilobytes (dictionaries included). Loading from jsDelivr keeps the DroidXP page small and lets browsers cache it across visits. If your policy forbids third-party script, self-host zxcvbn and block the CDN.
zxcvbn accepts an optional list of strings (often user name, email, company). If your password contains them, the score drops. This helps catch “password meets rules but is still predictable” cases.
No. This page only runs zxcvbn offline in the browser. Known-breach checks require a separate service and explicit consent.
They are illustrative. Real risk depends on how the service hashes passwords, rate limits logins, and whether MFA is required. Use these numbers to compare candidates, not to certify compliance.
Short strings, keyboard walks, or repeated chunks can still match internal heuristics. Try increasing length and true randomness (for example from our Password Generator).
The on-screen JSON redacts the password field for display. Copy report also redacts the password before copying — still avoid posting sensitive context words in public tickets.
Other apps may read clipboard data on some systems. Clear fields when done on shared machines, and prefer a password manager’s generated passwords for high-value accounts.
zxcvbn is tuned for typical text passwords. Numeric PINs and short codes follow different threat models; treat results as rough guidance only.