Github Dropbox Python Zxcvbn A Realistic Password Strength Estimator

Gombloh

-Apr 8, 2026, 1:44 PM

github dropbox python zxcvbn a realistic password strength estimator

Loading... Loading... Menu This document provides a high-level overview of the zxcvbn-python repository, a realistic password strength estimator. It covers the project's purpose, architecture, key components, and how they interact to analyze password strength. For detailed information on specific subsystems, see: - Installation and basic usage: Getting Started - Complete API documentation: Python API Reference - Internal architecture details: Core Architecture - Data resources (frequency lists, adjacency graphs): Data Resources - Development and testing: Development Guide zxcvbn is a password strength estimator that provides realistic feedback on password security.

Unlike simple rule-based validators, zxcvbn uses pattern recognition to identify common password patterns and estimate the computational effort required to crack them through various attack scenarios. This repository is a Python port of the original JavaScript library created by Dropbox. The Python implementation maintains compatibility with the original while providing a native Python API and command-line interface.

Key capabilities: - Detects common password patterns (dictionary words, keyboard patterns, sequences, dates, repeats, l33t substitutions) - Estimates guessability and crack times under multiple attack scenarios - Provides actionable feedback to help users improve password strength - Supports custom user dictionaries and user-specific input filtering - Current version: 4.5.0 - Supported Python versions: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13 Sources: setup.py1-38 README.rst1-165 CHANGELOG.md1-206 The repository follows a standard Python package structure: Sources: setup.py1-38 zxcvbn/__init__.py1-42 The zxcvbn system processes passwords through a four-stage pipeline.

Each stage builds upon the output of the previous stage to produce a comprehensive password strength assessment.

Pipeline Stages: - Input Sanitization (zxcvbn/__init__.py7-29): Validates password length, converts user inputs to lowercase strings - Pattern Matching (zxcvbn/matching.py): omnimatch() detects 8 pattern types (dictionary, reverse, l33t, spatial, sequence, repeat, regex, date) - Scoring (zxcvbn/scoring.py): most_guessable_match_sequence() calculates optimal match sequence and guess count using dynamic programming - Time Estimation (zxcvbn/time_estimates.py): estimate_attack_times() converts guesses to crack times for 4 attack scenarios - Feedback Generation (zxcvbn/feedback.py): get_feedback() produces warnings and suggestions based on detected patterns Sources: zxcvbn/__init__.py1-42 README.rst36-104 This diagram shows the complete system architecture with actual module and function names: Sources: zxcvbn/__init__.py1-42 zxcvbn/matching.py zxcvbn/scoring.py zxcvbn/time_estimates.py zxcvbn/feedback.py This sequence diagram illustrates the actual function calls and data transformations: Sources: zxcvbn/__init__.py7-41 README.rst48-104 zxcvbn() The primary entry point is the zxcvbn() function in zxcvbn/__init__.py7-41: Function signature: Parameters: password (str): The password to analyzeuser_inputs (list, optional): User-specific strings (names, birthdates, etc.) to add to dictionariesmax_length (int, optional): Maximum allowed password length (default: 72) Returns: Dictionary containing: password : The input passwordscore : Integer 0-4 (0=terrible, 4=great)guesses : Estimated number of guesses to crackguesses_log10 : Log base 10 of guessescalc_time : Timedelta for analysis durationcrack_times_seconds : Dictionary of crack times in seconds for 4 scenarioscrack_times_display : Dictionary of human-readable crack timessequence : List of match dictionaries representing the optimal match sequencefeedback : Dictionary withwarning andsuggestions strings Sources: zxcvbn/__init__.py7-41 README.rst36-104 cli() The CLI is implemented in zxcvbn/__main__.py and registered as a console script in setup.py17-21: Console script: zxcvbn (installed via entry point) Usage: The CLI reads the password from stdin and outputs JSON to stdout, making it easy to pipe through tools like jq .

Sources: setup.py17-21 README.rst137-149 The matching system in zxcvbn/matching.py is the most complex subsystem. The omnimatch() function orchestrates 8 specialized matcher functions: All matchers return a list of match dictionaries with fields: pattern , token , i , j (start/end indices), and pattern-specific metadata. Sources: zxcvbn/matching.py README.rst73-103 The zxcvbn/frequency_lists.py module contains RANKED_DICTIONARIES , a dictionary mapping dictionary names to ranked word lists: Words are ranked by frequency, with rank 1 being most common. The add_frequency_lists() function allows adding custom dictionaries at runtime.

Sources: zxcvbn/frequency_lists.py README.rst119-135 The zxcvbn/adjacency_graphs.py module contains ADJACENCY_GRAPHS , representing keyboard layouts for spatial pattern detection: qwerty : Standard QWERTY keyboarddvorak : Dvorak keyboard layoutkeypad : Numeric keypadmac_keypad : Mac numeric keypad Each graph maps keys to their adjacent neighbors, enabling detection of patterns like "qwert" or "asdf". Sources: zxcvbn/adjacency_graphs.py The package is configured via setup.py1-38 and setup.cfg1-3: Installation: pip install zxcvbn Sources: setup.py1-38 setup.cfg1-3 README.rst25-28 The project includes a comprehensive test suite in the tests/ directory, executed via GitHub Actions CI/CD pipeline across all supported Python versions.

The testing infrastructure uses: - Test framework: pytest - Test orchestration: tox (tox.ini) - Static analysis: mypy for type checking - CI platform: GitHub Actions (.github/workflows/build.yml) Key test files: tests/matching_test.py : Pattern matching validationtests/scoring_test.py : Scoring algorithm verificationtests/zxcvbn_test.py : End-to-end integration teststests/test_compatibility.py : Cross-version compatibility tests Sources: CHANGELOG.md1-46 based on CI/CD architecture diagram Current version: 4.5.0 (released 2025-02-19) Recent major changes: - Lazy loading of frequency lists for improved performance - Support for Python 3.12 and 3.13 - Configurable max_length parameter (default: 72) to prevent DoS attacks - Thread-safe user inputs handling - Improved l33t substitution detection - Migration to GitHub Actions CI/CD with multi-version testing For complete changelog, see Version History or CHANGELOG.md1-206 Sources: CHANGELOG.md1-46 setup.py8 Refresh this wiki - Overview - Purpose and Scope - What is zxcvbn?

Repository Structure - Core Architecture and Data Flow - System Architecture with Code Entities - Data Flow Through Code Functions - Key Components - Main API Function: `zxcvbn()` - Command-Line Interface: `cli()` - Pattern Matching System - Data Resources - Frequency Lists - Adjacency Graphs - Package Metadata and Distribution - Testing and Quality Assurance - Version History

Github Dropbox Python Zxcvbn A Realistic Password Strength Estimator

People Also Asked

GitHub - dropbox/python-zxcvbn: A realistic password strength estimator.?

zxcvbn · PyPI?

dwolfhub/zxcvbn-python | DeepWiki?

zxcvbn-python 4.4.24 on PyPI - Libraries.io - security & maintenance ...?

Python implementation of Dropbox's realistic password strength ... - Reddit?