Password Strength

Password Strength

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks (Wikipedia) (opens in a new tab)

With Opaque the server never sees the password, so it can't enforce any password strength rules. This means that the client is responsible for ensuring that the password is strong enough.

Why is this important?

If an attacker can guess a user's password, they can impersonate the user and access their data. Then all the security measures in place and all the modern cryptography used to protect the data are useless.

In addition it can be seen as another measure to improve against the case where you server setup (which includes the server private key and OPRF seeds) is compromised. If the passwords are strong enough, the attacker will have a hard time to guess them.

In the context of end-to-end encryption it is even more important to ensure even the server admins have a hard time to guess it.


While there are many ways to calculate password strength, one of the better ones is the zxcvbn (opens in a new tab) developed by Dropbox. Unfortunately, the original JavaScript implementation (opens in a new tab) is not maintained anymore.

There is a rewrite of the original zxcvbn in TypeScript called zxcvbn-ts. You can find it here an while we can't vouche for its quality, it seems to be the best option available at the moment. You can find the documentation at (opens in a new tab) and the source repository at (opens in a new tab).