Password Strength
Analyze the strength of a password. Returns a score, estimated crack time, actionable suggestions, and breach detection. The password is never logged or stored.
Endpoint
POST /api/v1/password/strength
Authentication
All requests require an API key passed via the X-Api-Key header.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
password | string | Yes | Password to analyze |
{
"password": "correct horse battery staple"
}
Response
{
"score": 4,
"crackTimeDisplay": "centuries",
"crackTimeSeconds": 1.5768e16,
"guesses": 1.578e19,
"warning": "",
"suggestions": [],
"breached": false,
"breachCount": 0
}
Response Fields
| Field | Type | Description |
|---|---|---|
score | integer | Strength score from 0 (weakest) to 4 (strongest) |
crackTimeDisplay | string | Human-readable estimated time to crack |
crackTimeSeconds | number | Estimated time to crack in seconds (offline attack) |
guesses | number | Estimated number of guesses required |
warning | string | Warning message if the password has a known weakness |
suggestions | array | List of suggestion strings to improve the password |
breached | boolean | Whether the password has appeared in known data breaches (via HIBP) |
breachCount | integer | Number of times the password was found in data breaches (0 if not breached) |
Score Values
| Score | Meaning | Description |
|---|---|---|
| 0 | Very weak | Trivially guessable — top passwords, common patterns |
| 1 | Weak | Still very guessable — protection from throttled attacks only |
| 2 | Fair | Somewhat guessable — moderate protection |
| 3 | Strong | Safely unguessable — good protection |
| 4 | Very strong | Very unguessable — excellent protection |
Breach Detection
The breach check uses the Have I Been Pwned Passwords API with k-anonymity. Only the first 5 characters of the SHA-1 hash are sent to the API — the full password never leaves the server. A breached: true result means the password has appeared in at least one known data breach and should not be used.
Example
curl -X POST \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"password": "correct horse battery staple"}' \
"https://api.iqxlookup.neivi.es/api/v1/password/strength"
Notes
- Passwords are analyzed in-memory and are never persisted or logged
- Scoring accounts for common patterns, dictionary words, keyboard sequences, repeated characters, and l33t substitutions
- The crack time estimate assumes an offline, unthrottled attack scenario