Password Strength Checker

Evaluate password strength in bulk for security audits and compliance workflows. Each password is scored using zxcvbn — the industry-standard algorithm by Dropbox that powers password meters on major websites. Returns score, crack time estimates across four attack scenarios, character composition, specific issues found, and actionable suggestions.

What does it do?

This actor accepts a list of passwords and returns a detailed strength analysis for each one. Unlike simple regex checkers that only count character types, it uses the zxcvbn algorithm which understands:

• 🔍 Common passwords and dictionary words (password, iloveyou, qwerty, etc.)
• 🔑 Common substitutions (p@ssw0rd, l33tspeak, etc.)
• ⌨️ Keyboard patterns (qwerty, asdf, zxcvFG, etc.)
• 📅 Date patterns (1990, jan1990, etc.)
• 🔁 Repeated patterns (aababababc, etc.)
• 🧩 Name and word combinations (firstname + year, etc.)

It also lets you supply user context words (name, username, company) to detect passwords that include personal identifiers — these would be cracked faster in a targeted attack.

Output per password:

• Score from 0 (very weak) to 4 (very strong) with a human-readable label
• Crack time estimates for four realistic attack scenarios
• Exact character composition (uppercase, lowercase, digits, symbols)
• List of specific issues found (too short, no symbols, keyboard pattern, etc.)
• Improvement suggestions tailored to the password

Who is it for?

👨‍💼 Security auditors — batch-evaluate exported credential databases to identify weak passwords before attackers do. Generate compliance reports showing password strength distribution across user accounts.

🛡️ Penetration testers — pre-screen password lists to prioritize cracking attempts. Identify which hashes are likely crackable with offline attacks based on estimated crack times.

🏢 IT and SysAdmin teams — enforce password policies at scale. Export user accounts, run them through this checker, and identify accounts that need a forced reset during your next security review.

👩‍💻 Developers — integrate password strength analysis into your security tooling pipeline. Compare your app's password distribution before and after policy changes.

📊 Compliance officers — document password strength metrics for GDPR, SOC 2, ISO 27001, and HIPAA audits. Demonstrate that your organization enforces strong password policies.

🔬 Security researchers — analyze password datasets to study real-world password patterns and evaluate effectiveness of password policies across different services.

Why use this instead of writing your own?

zxcvbn is hard to run at scale. It is a JavaScript library that needs to be executed per-password. Spinning up infrastructure to batch-process thousands of passwords, handling deduplication, and collecting structured output is exactly what this actor handles for you.

• ✅ No infrastructure setup — just provide passwords, get results
• ✅ Structured JSON output ready for your spreadsheet, database, or pipeline
• ✅ Industry-standard algorithm (same one Dropbox, Basecamp, and others use)
• ✅ Crack time estimates for four realistic attack scenarios, not just "weak/strong"
• ✅ Specific issues and actionable suggestions — not generic "add a special character"
• ✅ Deduplicate passwords automatically to avoid paying twice for the same check
• ✅ Supply user context (name, username) for more accurate targeted-attack estimates

Output data fields

Each item in the dataset corresponds to one password:

Field	Type	Description
password	string	The input password
score	number	Strength score: 0=very weak, 1=weak, 2=fair, 3=strong, 4=very strong
strengthLabel	string	Human-readable label: "very weak", "weak", "fair", "strong", "very strong"
crackTimeOnlineThrottled	string	Crack time: online attack at 100 guesses/hour (throttled login form)
crackTimeOnlineUnthrottled	string	Crack time: online attack at 10 guesses/second (no throttling)
crackTimeOfflineSlowHash	string	Crack time: offline attack at 10,000 guesses/second (bcrypt)
crackTimeOfflineFastHash	string	Crack time: offline attack at 10 billion guesses/second (MD5/SHA1)
crackTimeOnlineThrottledSeconds	number	Same as above in seconds (for sorting/filtering)
crackTimeOnlineUnthrottledSeconds	number	Same as above in seconds
crackTimeOfflineSlowHashSeconds	number	Same as above in seconds
crackTimeOfflineFastHashSeconds	number	Same as above in seconds
guesses	number	Estimated number of guesses needed to crack
guessesLog10	number	Log10 of guesses (useful for distribution charts)
issues	array	List of specific weaknesses found
issueCount	number	Number of issues found (0 = no issues)
suggestions	array	Actionable improvement suggestions
warning	string|null	zxcvbn warning message (e.g. "This is a top-10 common password")
length	number	Password length in characters
uppercaseCount	number	Number of uppercase letters
lowercaseCount	number	Number of lowercase letters
digitCount	number	Number of digits
symbolCount	number	Number of symbols
hasUppercase	boolean	Contains at least one uppercase letter
hasLowercase	boolean	Contains at least one lowercase letter
hasDigits	boolean	Contains at least one digit
hasSymbols	boolean	Contains at least one symbol
checkedAt	string	ISO timestamp when the check was performed

How much does it cost to check password strength in bulk?

Pricing uses Apify's pay-per-event (PPE) model — you only pay for what you actually process:

Event	Price
Start (one-time per run)	$0.01
Per password checked	$0.001

Examples:

• Check 100 passwords → $0.01 + 100 × $0.001 = $0.11
• Check 1,000 passwords → $0.01 + 1,000 × $0.001 = $1.01
• Check 10,000 passwords → $0.01 + 10,000 × $0.001 = $10.01

Free plan estimate: Apify's free plan includes $5/month in compute credits. That covers checking approximately 4,900 passwords/month for free before incurring costs.

Duplicate passwords are automatically removed (unless you disable deduplication), so if your list contains repeated passwords you won't be charged twice for the same check.

How to use it — step by step

1. Go to the actor page at https://apify.com/automation-lab/password-strength-checker
2. Click "Try for free" to open the actor in Apify Console
3. Paste your passwords into the "Passwords to evaluate" field — one per line
4. (Optional) Add user context words — enter names, usernames, or company names to improve targeted-attack accuracy
5. Click "Start" to run the actor
6. Review results in the dataset table view — scores, crack times, and issues are shown in sortable columns
7. Export data as JSON, CSV, or Excel using the dataset export button

Input parameters

Passwords to evaluate (required)

The list of passwords to analyze. Each entry becomes one row in the output dataset. Supports any string — leave the deduplication option on (default) to avoid paying twice for repeated entries.

{
    "passwords": [
        "hunter2",
        "correct-horse-battery-staple",
        "P@ssw0rd!2024",
        "Summer2023!"
    ]
}

User context words (optional)

A list of personal identifiers the user is known to use. zxcvbn uses these to penalize passwords that include them. For example, if you know the user's name is "john smith" and they work at "acme", providing these words will make the algorithm correctly flag "johnsmith2023" as weaker than it would otherwise appear.

{
    "userInputs": ["john", "smith", "acme"]
}

Deduplicate passwords (optional, default: true)

When true, duplicate entries in the passwords list are removed before processing. You're only charged for unique passwords.

Output example

Here is a sample result for the password password123:

{
    "password": "password123",
    "score": 0,
    "strengthLabel": "very weak",
    "crackTimeOnlineThrottled": "6 hours",
    "crackTimeOnlineUnthrottled": "60 seconds",
    "crackTimeOfflineSlowHash": "less than a second",
    "crackTimeOfflineFastHash": "less than a second",
    "crackTimeOnlineThrottledSeconds": 21456,
    "crackTimeOnlineUnthrottledSeconds": 59.6,
    "crackTimeOfflineSlowHashSeconds": 0.0596,
    "crackTimeOfflineFastHashSeconds": 5.96e-8,
    "guesses": 596,
    "guessesLog10": 2.78,
    "issues": [
        "Short password (less than 12 characters recommended)",
        "No uppercase letters",
        "No symbols",
        "Contains sequential numbers"
    ],
    "issueCount": 4,
    "suggestions": [
        "Add another word or two. Uncommon words are better.",
        "Add uppercase letters (A-Z)",
        "Add symbols (e.g. !@#$%^&*)",
        "Use at least 12 characters"
    ],
    "warning": "This is a very common password",
    "length": 11,
    "uppercaseCount": 0,
    "lowercaseCount": 8,
    "digitCount": 3,
    "symbolCount": 0,
    "hasUppercase": false,
    "hasLowercase": true,
    "hasDigits": true,
    "hasSymbols": false,
    "checkedAt": "2026-01-15T10:23:45.123Z"
}

Tips for best results

💡 Use deduplication — if your password list comes from a database export, there will likely be duplicates. Deduplication is on by default and saves you money.

💡 Supply user context — if you're checking passwords for a specific user or organization, pass known identifiers (first name, last name, username, company name) as userInputs. This is especially important for targeted security audits where attackers would have this context.

💡 Sort by score or crackTimeOfflineFastHashSeconds — export to CSV and sort ascending to find your weakest passwords immediately. Anything with crackTimeOfflineFastHashSeconds < 1 is crackable in milliseconds with modern hardware.

💡 Filter by issueCount — passwords with 0 issues and score ≥ 3 are acceptable. Passwords with issueCount ≥ 3 should be flagged for mandatory reset.

💡 Understanding crack time scenarios:

• Online throttled — the attacker is hitting a login form that limits attempts (realistic for consumer apps)
• Online unthrottled — the attacker found an API or form with no rate limiting
• Offline slow hash — the attacker obtained your database and it uses bcrypt/scrypt/argon2 (best case for defense)
• Offline fast hash — the attacker obtained your database and it uses MD5/SHA1/SHA256 without salt (worst case — this is why you should use bcrypt)

💡 Score interpretation:

• Score 0-1: Reject — do not allow users to set these passwords
• Score 2: Borderline — consider requiring improvement before accepting
• Score 3-4: Accept — these are adequately strong for most use cases

Integrations

Zapier — automated weak password alerts

Connect this actor to a Zapier workflow to get Slack or email alerts when a security scan finds weak passwords:

1. Set up a scheduled Apify run with your password list
2. Use Zapier to watch the dataset for items where score < 2
3. Send a Slack notification with the count of weak passwords found

Google Sheets — password audit dashboard

Export the dataset to Google Sheets to build a password strength dashboard:

1. Run the actor with your password list
2. Export the dataset as CSV
3. Import to Google Sheets and use conditional formatting to highlight score 0-1 in red
4. Create a pie chart of strengthLabel distribution

n8n — compliance workflow automation

Use this actor in an n8n workflow for automated compliance reporting:

1. HTTP Request node to call Apify API and start the actor
2. Wait for the run to finish using Apify's webhook integration
3. Fetch dataset items and filter for score < 3
4. Generate a PDF report using n8n's PDF node
5. Send the report to your compliance officer via email

Make (Integromat) — scheduled security scans

Schedule weekly password audits using Make:

1. Use the Apify module to run this actor on a schedule
2. Filter results where issueCount > 2
3. Create a Google Sheets row for each weak password found
4. Send a digest email every Monday morning

API usage

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_APIFY_TOKEN' });

const run = await client.actor('automation-lab/password-strength-checker').call({
    passwords: [
        'hunter2',
        'correct-horse-battery-staple',
        'P@ssw0rd!2024',
    ],
    userInputs: ['john', 'smith'],
    deduplicatePasswords: true,
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();

for (const item of items) {
    console.log(`${item.password}: ${item.strengthLabel} (score ${item.score})`);
    if (item.issues.length > 0) {
        console.log('  Issues:', item.issues.join(', '));
    }
}

Python

from apify_client import ApifyClient

client = ApifyClient('YOUR_APIFY_TOKEN')

run = client.actor('automation-lab/password-strength-checker').call(run_input={
    'passwords': [
        'hunter2',
        'correct-horse-battery-staple',
        'P@ssw0rd!2024',
    ],
    'userInputs': ['john', 'smith'],
    'deduplicatePasswords': True,
})

items = client.dataset(run['defaultDatasetId']).list_items().items

for item in items:
    print(f"{item['password']}: {item['strengthLabel']} (score {item['score']})")
    if item['issues']:
        print(f"  Issues: {', '.join(item['issues'])}")

cURL

# Start the actor run
curl -X POST "https://api.apify.com/v2/acts/automation-lab~password-strength-checker/runs" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "passwords": ["hunter2", "correct-horse-battery-staple", "P@ssw0rd!2024"],
    "userInputs": ["john"],
    "deduplicatePasswords": true
  }'

# Fetch results (replace DATASET_ID with the defaultDatasetId from the run response)
curl "https://api.apify.com/v2/datasets/DATASET_ID/items" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN"

Use with Claude AI (MCP)

This actor is available as a tool in Claude AI through the Model Context Protocol (MCP). Add it to Claude Desktop, Cursor, Windsurf, or any MCP-compatible client.

Setup for Claude Code

$claude mcp add --transport http apify "https://mcp.apify.com"

Setup for Claude Desktop, Cursor, or VS Code

Add this to your MCP config file:

{
    "mcpServers": {
        "apify": {
            "url": "https://mcp.apify.com"
        }
    }
}

Example prompts

• "Check the strength of these passwords and tell me which ones are weak: password123, Tr0ub4dor&3, correct-horse-battery-staple."
• "Run a password audit on this list and give me a summary broken down by strength level and issue type."
• "Which of these passwords would be cracked in under a minute with an offline fast-hash attack?"

Learn more in the Apify MCP documentation.

Legality and privacy

This actor processes passwords you provide in the input. It does not store, log, or transmit passwords to any third party beyond Apify's infrastructure (where your run executes).

Use this actor only on passwords you have a right to analyze. Legitimate use cases include:

• Analyzing passwords from accounts you own or manage
• Conducting authorized security audits on your organization's systems
• Research using synthetic or anonymized password datasets
• Compliance auditing with appropriate authorization

Do not use this actor to analyze passwords obtained without authorization. Unauthorized access to credential data is illegal in most jurisdictions.

All processing happens in your Apify account's isolated run environment. Datasets are private by default and only accessible with your API token.

FAQ

What is the zxcvbn algorithm?

zxcvbn is an open-source password strength estimator created by Dropbox in 2012. Unlike simple checkers that just count character types, it uses a pattern-matching approach to estimate how many guesses an attacker would need. It checks against a database of ~10,000 common passwords, English words, names, and common substitutions. It's used by Basecamp, Dropbox, GitHub Enterprise, and many others.

Why does "correct-horse-battery-staple" score 4 even without numbers or symbols?

Length and unpredictability matter more than character variety. A four-word passphrase creates enormous entropy — an attacker would need trillions of guesses even with a dictionary attack. This is why NIST SP 800-63B now recommends passphrases over complex short passwords.

Can I check hashed passwords?

No — this actor analyzes plaintext passwords using the zxcvbn algorithm. If you have hashed passwords (e.g., bcrypt hashes), you would need to crack them first before analysis, which is a different workflow outside this actor's scope.

How many passwords can I process in one run?

There is no hard limit. The actor processes passwords sequentially in memory — a single run can handle tens of thousands of passwords. The main constraint is the 300-second timeout on the default plan, which is sufficient for roughly 50,000+ passwords.

My passwords contain special characters — will they parse correctly?

Yes. The actor accepts any UTF-8 string. If you're providing input via the API, make sure to properly JSON-encode your password strings. Special characters like ", \, and control characters must be escaped in the JSON payload.

Why does the same password score differently with userInputs?

zxcvbn applies an additional penalty when a password contains words from the userInputs list. For example, "johnsmith2023" scores higher without context than when you pass ["john", "smith"] as userInputs — because an attacker who knows the target's name would try those combinations first.

Is this actor suitable for real-time password validation?

This actor is designed for bulk security audits, not real-time validation. For real-time use (e.g., showing a strength meter as users type), embed the zxcvbn npm package directly in your frontend or backend application.

The actor ran but some items show "error" as the strengthLabel — what happened?

This indicates an unexpected error processing a specific password. The error message is included in the output item. This is rare and typically caused by an extremely large input string (millions of characters). Normal passwords of any reasonable length will process successfully.

Related actors

• Phone Number Validator — validate and format phone numbers in bulk
• Email Enrichment — verify email addresses and enrich with company data
• Domain Availability Checker — bulk check domain availability across TLDs
• SPF Record Checker — verify SPF, DKIM, and DMARC email security records
• DMARC Record Checker — validate DMARC policies for email security compliance
• Broken Link Checker — find broken links across websites for security and SEO audits