Password Strength Index API

How to Use the API

This API is actually pretty straightforward to use. It involves four simple HTTPS POST values, posted to

  1. API Token - a string of characters we provide to you
  2. Password - the password for which you'd like the Strength Index calculated
  3. Signature - a hash signature (see below)
  4. Format - the format of the response (txt, json, xml)

In the response, you'll get a floating point decimal that represents the Strength Index for the provided password string. Depending on the format you specify, you'll also receive a few other values, including a Google-o-Meter graphic and a one-word text summary (in English though I might add other languages down the road) for the Strength Index (in ascending order: Useless, Terrible, Typical, Good, Secure, Impressive, Insane).

Signing Requests

The request signing process is pretty straightforward. It's simply calculating a "signature" POST value using a SHA512 hash of the following values concatenated:

  • password
  • format
  • secret

So, in PHP, it might be something like this:

	$password = 'abc123';
	$secret = '1234567890abcdefghijklmnop';
	$format = 'json';
	$signature = hash('sha512', $password . $format . $secret);


The following questions should cover most of your concerns.

Sounds Great. So, what's a Strength Index again?

A Strength Index is a numeric representation of a password's ability to resist brute force attacks. For more information, see our About Strength Indices page.

Do you log the passwords?

Absolutely not. It would defeat the purpose of this tool if we compromised it in any manner. The only thing we log is the fact that the API was hit, and that's just so we can ensure we've got the needed capacity.

Do you support HTTPS?

Yes. In fact, we require it on API calls.

Do you support HTTP?

Not for the API. Any API requests received via HTTP are discarded immediately without response. Technically, if you send an HTTP request to the API, you've already compromised that password. So it's useless as far as we're concerned.

Check out another of my handy-for-developers tools:, an easy way to get a specific HTTP status code