# Password Strength Scorer MCP > Password Strength Scorer evaluates any password using the Dropbox zxcvbn engine—the same algorithm protecting 700M+ users. It calculates a concrete score (0-4), estimates real crack times for four attack scenarios, and identifies specific weaknesses like common dictionary words or predictable patterns. Don't trust simple regex checks; this tool performs deep combinatorial analysis that no basic AI model can replicate. ## Overview - **Category:** loved-by-devs - **Price:** Free - **Tags:** password-strength, entropy-analysis, security-best-practices, crack-time-estimation, authentication-security ## Description The `score_password_strength` tool analyzes any password using the Dropbox zxcvbn engine—the same algorithm protecting hundreds of millions of users. You don't need a basic regex check; this thing runs deep combinatorial analysis that standard AI models simply can't replicate. This score isn't just checking if you used one capital letter or two numbers. It measures actual difficulty. The tool gives you a concrete 0-4 security score, quantifying exactly how strong your password is. A higher number means it’s tougher to crack. When you use the tool, it doesn't just give you a single grade; it predicts real crack times under four different attack conditions. You get estimates for online unthrottled attacks, which simulate a dedicated machine running nonstop; online throttled attacks, like what a service might impose; local slow hash attempts; and local fast hash attempts. Knowing these four specific metrics tells you precisely where the password's weakness lies. It also flags specific security flaws in your password. If you use common dictionary words or predictable patterns—like sequential dates or obvious substitution ciphers—the tool points them out immediately. It shows you *why* it’s weak, not just that it is. This deep analysis means it recognizes structures like 'qwerty' keyboard sequences or simple word+number combinations instantly. If you wanna check a couple of passwords against each other, the tool lets you compare them directly. You see which one genuinely resists attack better and why. It’s all about measurable resistance. When you run this through your agent, it gives you actionable security warnings based on its analysis. The data never leaves your environment; it's privacy-first. Think of it this way: other checkers only confirm character types. This engine looks at the whole structure—the word patterns, the dictionary matches, the keyboard predictability—and tells you exactly how hard a bad actor is gonna have to work to crack it. ## Tools ### score_password_strength Analyzes a password using zxcvbn, returning a 0-4 score, estimated crack times for different attack scenarios, and actionable security warnings. ## Prompt Examples **Prompt:** ``` Our new hire set their password to 'Summer2024!'. Is that actually secure? ``` **Response:** ``` Score: 1 (Weak). Warning: Common word + predictable year + single symbol. Crack time: 3 minutes local. Suggest: use unrelated words. ``` **Prompt:** ``` Is 'correct horse battery staple' really stronger than 'Tr0ub4dor&3'? ``` **Response:** ``` Yes. 'correct horse battery staple': Score 4 (Very Strong), centuries to crack. 'Tr0ub4dor&3': Score 1, common l33t pattern. ``` **Prompt:** ``` Audit our auto-generated API keys for security compliance before deployment. ``` **Response:** ``` Score: 4 (Very Strong). Crack time: centuries at 10B guesses/sec. Entropy exceeds compliance minimum. ``` ## Capabilities ### Calculate Security Score It returns a specific 0-4 score that quantifies how strong or weak a given password is. ### Estimate Crack Time The tool predicts the time it will take to crack the password under four distinct attack conditions. ### Identify Weak Patterns It flags specific security flaws, pointing out common dictionary words or predictable patterns used in the password. ### Compare Passwords You can compare two different passwords to determine which one is genuinely stronger and more resistant to attack. ## Use Cases ### Onboarding a New Team Member A new hire sets their password to 'Summer2024!'. Instead of just telling them it's bad, your agent runs `score_password_strength('Summer2024!')`. The output immediately shows Score: 1 (Weak) and warns about the predictable date + common word combination. You can then tell them exactly what to change. ### Auditing API Keys You need to audit a batch of auto-generated, high-entropy API keys for compliance. Your agent runs `score_password_strength` on the key strings. The result confirms Score: 4 (Very Strong) and zero discernible patterns, proving they exceed minimum entropy requirements before deployment. ### Comparing Credential Options You are debating between two new authentication methods: a standard passphrase vs. a complex GUID. You run `score_password_strength` on both strings. The output definitively proves which method offers higher entropy and significantly longer estimated crack times, allowing you to make an evidence-based decision. ### Fixing Weak Policy Definitions The existing policy only mandates 8 characters. You run `score_password_strength` on a typical 8-character input and the result shows Score: 2 (Medium) with minutes of crack time. This forces the security team to raise the minimum complexity requirement substantially. ## Benefits - **Real-World Attack Metrics:** Stop using vague advice. The `score_password_strength` tool gives you concrete crack time estimates for four different attack scenarios (online unthrottled, local fast hash, etc.). This tells you the actual risk exposure, not just a number. - **Pinpoint Weaknesses:** It doesn't just say 'weak.' It analyzes *why*. The scorer detects specific failures like common l33t substitutions or sequences derived from keyboard patterns. You get actionable warnings to improve the input immediately. - **Compares Passwords Accurately:** Need to compare a user's old password against a proposed new one? Run both through `score_password_strength`. It measures true combinatorial difference, letting you prove which string is mathematically superior. - **Zero Data Leakage:** Because the engine runs locally, the actual password data never leaves your agent or client. This makes it safe to run sensitive checks right in production pipelines without worrying about network calls or third-party logging. - **Industry Standard Validation:** You're relying on the Dropbox zxcvbn algorithm—the same one used by millions of services globally. Using this tool means you’re validating against an established, highly resilient industry benchmark. ## How It Works The bottom line is that you get mathematically proven security metrics instead of vague 'strong' or 'weak' labels. 1. Pass the password or set of passwords you want to test into the agent. 2. The engine runs real combinatorial analysis, checking against dictionaries, patterns, and common substitutions. 3. You get back a detailed report: the 0-4 score, estimated crack times for multiple attack types, and specific warnings. ## Frequently Asked Questions **Can I use score_password_strength for anything other than passwords?** It is designed specifically for password analysis. While it analyzes strings, its metrics (score and crack time) are based on known patterns, dictionaries, and substitution methods unique to credentials. **Does score_password_strength leak my data over the network?** No. The zxcvbn engine runs locally within the MCP server environment. Your password never leaves the secure computational boundary, ensuring zero data leakage risk for sensitive inputs. **What is the difference between score_password_strength and a simple regex check?** A regex only checks character structure (e.g., `[a-zA-Z0-9]`). The scorer uses combinatorial analysis, checking for dictionary words, common sequences, and pattern predictability—which is far more rigorous. **How do I use score_password_strength to compare two passwords?** Pass both strings into the tool. It will run a comparative entropy analysis and tell you which password has higher resistance against brute-force attacks, providing clear evidence for your policy changes. **What do the different crack time estimates provided by score_password_strength mean?** The estimate provides four specific risk metrics. You get scores for online throttled, unthrottled, local slow hash, and local fast hash attacks. This comprehensive breakdown helps you understand the password's resilience under multiple real-world cracking conditions. **How does score_password_strength handle very long or complex inputs?** The engine processes all string lengths effectively. It analyzes entropy by checking against dictionaries, keyboard sequences (like qwerty), and common patterns, regardless of the password's length. Longer strings generally improve the final security score. **If I run score_password_strength repeatedly, are there rate limits or performance concerns?** The analysis is highly efficient because it runs locally without external calls. While Vinkius manages general API rates, the processing time for a single password assessment is near-instantaneous, making rapid iteration safe and fast. **What should I do if score_password_strength returns an error or no data?** If you receive an error, check that your input field contains a valid string. If the password is null or empty, the tool will return a default score of 0 and basic failure suggestions. This confirms missing data was the cause. **Why can't my AI evaluate password strength?** AI checks superficial rules like 'has uppercase + number + symbol'. zxcvbn does combinatorial analysis — it knows 'P@ssw0rd' is just 'Password' with l33t substitutions, and rates it as weak despite passing every 'rule-based' check. **Is the password sent to any external server?** No. 100% local. The embedded dictionary and pattern matching engine run entirely in-process. Zero network calls, zero data leakage, zero risk. **What do the crack time numbers actually mean?** Four real attack scenarios: Online throttled (100/hour — most login pages), Online unthrottled (10/sec), Local slow hash (10K/sec — bcrypt), Local fast hash (10B/sec — MD5/SHA). Choose the scenario matching your system.