Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

zxcvbn4j Build Coverage Status Maven Central

This is a Java version of zxcvbn, a password strength estimator originally written in JavaScript and inspired by password cracking tools. It uses pattern matching and conservative estimation to assess the strength of passwords. It can identify and evaluate the strength of over 30,000 common passwords, as well as common names and surnames based on US census data. It also recognizes popular English words from Wikipedia, US television shows, and movies. Additionally, it can detect other common password patterns such as dates, repeated characters (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Related articles:

Table of Contents

Mapping Original to Ported Versions

Ported Version Original zxcvbn Version
1.2.3 - latest 4.4.2
1.2.1 - 1.2.2 4.4.1
1.1.0 - 1.2.0 4.4.0
1.0.0 - 1.0.2 4.2.0

Special Features

Customize Internal Dictionaries and Keyboards

  • You can customize the dictionary and keyboard layout used by the measurement algorithm to better suit your specific needs.

Localize Feedback Messages

  • zxcvbn4j allows you to localize the default English feedback messages into other languages.

Default Language Support

JIS Keyboard Layout Support

  • zxcvbn4j includes support for the JIS keyboard layout in spatial matching.

Accepting Passwords as CharSequence or String

  • This feature provides greater flexibility in the format of the password input.
  • It also aims to avoid using Strings for any sensitive intermediate objects, enhancing security.



compile 'com.nulab-inc:zxcvbn:1.8.2'




$ git clone
$ cd ./zxcvbn4j
$ ./gradlew build    # build
$ ./gradlew test     # test
$ ./gradlew jmh      # benchmark



This is also available Android.

Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");

If you want to add your own dictionary, put the keyword list of List type to the second argument.

List<String> sanitizedInputs = new ArrayList();

Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password", sanitizedInputs);

Strength Properties

The return result is "Strength". It's almost the same as zxcvbn.

# estimated guesses needed to crack password

# order of magnitude of strength.guesses

# dictionary of back-of-the-envelope crack time
# estimations, in seconds, based on a few scenarios
  # online attack on a service that ratelimits password auth attempts.

  # online attack on a service that doesn't ratelimit,
  # or where an attacker has outsmarted ratelimiting.

  # offline attack. assumes multiple attackers,
  # proper user-unique salting, and a slow hash function
  # w/ moderate work factor, such as bcrypt, scrypt, PBKDF2.

  # offline attack with user-unique salting but a fast hash
  # function like SHA-1, SHA-256 or MD5. A wide range of
  # reasonable numbers anywhere from one billion - one trillion
  # guesses per second, depending on number of cores and machines.
  # ballparking at 10B/sec.

# same keys as result.crack_time_seconds,
# with friendlier display string values:
# "less than a second", "3 hours", "centuries", etc.

# Integer from 0-4 (useful for implementing a strength bar)
# 0 Weak        (guesses < 10^3 + 5)
# 1 Fair        (guesses < 10^6 + 5)
# 2 Good        (guesses < 10^8 + 5)
# 3 Strong      (guesses < 10^10 + 5)
# 4 Very strong (guesses >= 10^10 + 5)

# verbal feedback to help choose better passwords. set when score <= 2.
  # explains what's wrong, eg. 'this is a top-10 common password'.
  # not always set -- sometimes an empty string

  # a possibly-empty list of suggestions to help choose a less
  # guessable password. eg. 'Add another word or two'

# the list of patterns that zxcvbn based the guess calculation on.

# how long it took zxcvbn to calculate an answer, in milliseconds.

Customize internal dictionaries and keyboards

Zxcvbn can build with ZxcvbnBuilder. ZxcvbnBuilder can customize dictionaries and keyboards used in measurements.

Use resources on the classpath

ClasspathResource can get your own dictionary and keyboard file on the classpath. DictionaryLoader load dictionary file. SlantedKeyboardLoader and AlignedKeyboardLoader load keyboard file.

Zxcvbn zxcvbn = new ZxcvbnBuilder()
        .dictionary(new DictionaryLoader("us_tv_and_film", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/dictionarys/us_tv_and_film.txt")).load())
        .keyboard(new SlantedKeyboardLoader("qwerty", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/qwerty.txt")).load())
        .keyboard(new AlignedKeyboardLoader("keypad", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/keypad.txt")).load())

Use resources get via HTTP

To use dictionary and keyboard files other than the classpath, implement the Resource interface. This code is an example of getting and loading a file via HTTP(s).

URL dictionaryURL = new URL("");
Resource myDictionaryResource = new MyResourceOverHTTP(dictionaryURL);

URL keyboardURL = new URL("");
Resource myKeyboardURLResource = new MyResourceOverHTTP(keyboardURL);

Zxcvbn zxcvbn = new ZxcvbnBuilder()
        .dictionary(new DictionaryLoader("my_dictionary", myDictionaryResource).load())
        .keyboard(new SlantedKeyboardLoader("my_keyboard", myKeyboardURLResource).load())

public class MyResourceOverHTTP implements Resource {

    private URL url;

    public MyResourceOverHTTP(URL url) {
        this.url = url;

    public InputStream getInputStream() throws IOException {
        HttpURLConnection conn = (HttpURLConnection) this.url.openConnection();
        return conn.getInputStream();

Use file resources other than classpath

This code is an example of using files in other directories than the classpath.

File dictionaryFile = new File("/home/foo/dictionary.txt");
Resource myDictionaryResource = new MyResourceFromFile(dictionaryFile);

File keyboardFile = new File("/home/bar/keyboard.txt");
Resource myKeyboardURLResource = new MyResourceFromFile(keyboardFile);

Zxcvbn zxcvbn = new ZxcvbnBuilder()
    .dictionary(new DictionaryLoader("my_dictionary", myDictionaryResource).load())
    .keyboard(new SlantedKeyboardLoader("my_keyboard", myKeyboardURLResource).load())

public class MyResourceFromFile implements Resource {

    private File file;

    public MyResourceFromFile(File file) {
        this.file = file;

    public InputStream getInputStream() throws IOException {
        return new FileInputStream(this.file);

Use all default resources

StandardDictionaries.loadAllDictionaries() loads all default dictionary files. StandardDictionaries.loadAllKeyboards() loads all default keyboard files.

Zxcvbn zxcvbn = new Zxcvbn();


Zxcvbn zxcvbn = new ZxcvbnBuilder()

Select from and use default resources

The following code selects some from the default dictionary files and keyboards.

Zxcvbn zxcvbn = new ZxcvbnBuilder()

Localize feedback messages

The zxcvbn4j can be localized the english feedback message to other languages.

Localize each feedback

// Get the Strength instance.
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");

// Get the ResourceBundle based on the name and locale of the property file(※).
ResourceBundle resourceBundle = ResourceBundle.getBundle("This is bundle name", Locale.JAPAN);

// Feedback to pass the ResourceBundle. And to generate a localized Feedback.
Feedback feedback = strength.getFeedback();
Feedback localizedFeedback = feedback.withResourceBundle(resourceBundle);

// getSuggestions() and getWarning() returns localized feedback message.
List<String> localizedSuggestions = localizedFeedback.getSuggestions();
String localizedWarning = localizedFeedback.getWarning();

Defined Key and the message in the properties file. Reference the

Localize each locale

Strength strength = zxcvbn.measure(password);
Feedback feedback = strength.getFeedback();

Map<Locale, ResourceBundle> messages = new HashMap<>();
messages.put(Locale.JAPANESE, ResourceBundle.getBundle("This is bundle name", Locale.JAPANESE));
messages.put(Locale.ITALIAN, ResourceBundle.getBundle("This is bundle name", Locale.ITALIAN));
Feedback replacedFeedback = feedback.replaceResourceBundle(messages);

Requires Java

  • Java 1.7+

Using this library

Bugs and Feedback

For bugs, questions and discussions please use the GitHub Issues.


MIT License


This is a java port of zxcvbn, which is a JavaScript password strength generator.








No packages published