What is it

com.nulabinc.zxcvbn, so named after one of the 100 most common passwords, is a password strength estimator.

Why use it

People aren't very good at picking passwords. While it is technically their fault if they make their password 123456 and get their bank account stolen, that can very quickly become your problem.

Some services try to mitigate this by asking that passwords have letters, numbers, and "special characters" in them. This doesn't stop things like P@ssW1rd!, which will be guessed by password crackers in under a millisecond.

com.nulabinc.zxcvbn will instead try to figure out how easy it will be for a password cracker to guess the password. This will lead to your users having generally stronger passwords.

Getting Started

import com.nulabinc.zxcvbn.WipeableString;
import com.nulabinc.zxcvbn.Zxcvbn;

void main() {
    var zxcvbn = new Zxcvbn();

    // Pro-tip, storing passwords in mutable structures lets
    // you lower the time they are floating around in program
    // memory. This decreases the window of opportunity for
    // attackers that might have found a way to poke around
    // in your process.
    // If that sort of attack isn't in your threat model, you
    // can use regular Strings.
    var password = new WipeableString("P@ssw0rd!");

    var strength = zxcvbn.measure(password);

    var warning = strength.getFeedback()
    // This is similar to a commonly used password.

    var suggestions = strength.getFeedback()
    // Add another word or two. Uncommon words are better.
    // Capitalization doesn't help very much.
    // Predictable substitutions like '@' instead of 'a' don't help very much.
    System.out.println(String.join("\n", suggestions));

    // fair
    switch (strength.getScore()) {
        case 0 -> System.out.println("weak");
        case 1 -> System.out.println("fair");
        case 2 -> System.out.println("good");
        case 3 -> System.out.println("strong");
        default -> System.out.println("very strong");

<- Index