$ man password-strength
/password-strength
PRICE / CALL
$0.02
USDC · base mainnet · scheme: exact
METHOD
POST
CLUSTER
webprobeCATEGORY
utilities
STATUS
● live
NAME
password-strength — measures password strength with a zxcvbn-style score and optional hibp breach lookup
SYNOPSIS
POST https://x402.agentutility.ai/password-strength
Content-Type: application/json
X-PAYMENT: <signed-transferWithAuthorization>
{ ... }↳ first call →
402 Payment Required. Sign USDCtransferWithAuthorization, retry with theX-PAYMENT header.DESCRIPTION
Measures password strength with a zxcvbn-style score and optional HIBP breach lookup. Returns a 0-100 score and weak/fair/good/strong/excellent bucket, Shannon entropy bits, charset size, character-class breakdown (lower/upper/numbers/symbols), common-pattern detection (sequences, keyboard walks, repeats, dictionary words), and crack-time estimates across throttled/unthrottled/offline-slow/offline-fast attacker models. The optional Have-I-Been-Pwned check uses k-anonymity: only the first 5 chars of the SHA-1 hash leave the worker. Use it as a password strength meter, password checker, password entropy calculator, pwned password check, or password validator.
INPUT — request schema
| property | type | description | req? |
|---|---|---|---|
| password | string | Password to score. Sent over TLS to the worker but never logged. Max 200 chars. | required |
| check_breaches | boolean | If true (default), also performs a HIBP k-anonymity lookup and returns breach_count + is_breached. Set false to skip the network call for fully offline scoring. | optional |
OUTPUT — response shape
| field | type | description |
|---|---|---|
| score | number | Overall password strength score, typically 0-100 combining entropy, length, and pattern penalties. |
| bucket | string | Strength label like very-weak, weak, fair, strong, or very-strong derived from the score. |
| length | number | Character count of the submitted password. |
| entropy_bits | number | Shannon entropy estimate in bits based on charset size and length. |
| charset_size | number | Size of the effective character pool used for entropy math (e.g., 26, 62, 95). |
| character_classes | object | Per-class flags showing which sets appear: lowercase, uppercase, digits, symbols. |
| character_class_count | number | Number of distinct character classes present (0-4). |
| common_patterns_found | array | List of detected weak patterns like dictionary words, sequences, keyboard walks, or dates. |
| estimated_crack_time | object | Crack-time estimates for online, offline, and GPU attack scenarios as human-readable durations. |
| breach_count | number | Number of times the password appears in the Have I Been Pwned corpus. |
| is_breached | boolean | True when breach_count is greater than zero in the HIBP dataset. |
| breach_check_performed | boolean | True when the HIBP k-anonymity lookup ran successfully for this request. |
| feedback | array | Actionable suggestions to strengthen the password, such as add length or mix character classes. |
| note | string | Server-side note about scoring caveats, HIBP fallback, or privacy guarantee that the password never leaves. |
EXAMPLES — two ways to call
EXAMPLE 1 · curl
curl -X POST https://x402.agentutility.ai/password-strength \
-H 'Content-Type: application/json' \
-d '{ }'first response =
402 Payment Required with payment requirements; sign + retry with X-PAYMENT.EXAMPLE 2 · mcp
# Install the MCP package for this endpoint's cluster npx -y @agentutility/mcp-<cluster> # Required: EVM private key with USDC on Base export X402_PRIVATE_KEY=0x... # Then call the password-strength tool from your MCP-aware agent.
MCP server handles payment automatically — your coding agent just calls the tool by name.
METADATA
- tags
- passwordsecurityentropyhibpbreach
- methods
- POST
- cluster
- webprobe
- price
- $0.02 USDC per call
ADJACENT — other endpoints in webprobe
| endpoint | description | price |
|---|---|---|
| archive-snapshot | Finds the closest archived snapshot of a public URL, like a Wayback Machine API. | $0.02 |
| archive-snapshot-api | Finds archived snapshots of public web pages, returning the closest Wayback Machine captures with timestamps, status codes, and replay URLs. | $0.02 |
| archive-url | Looks up the archived copy of a public URL closest to a given timestamp and can fetch cleaned archived page text. | $0.02 |
| brand-domain-check | Checks whether a brand or company domain is established, expiring, registrar-locked, or newly registered, on the same RDAP backend as who… | $0.02 |
| brand-watch-domain-risk | Checks new or suspicious brand-adjacent domains for age, registrar, expiry, DNSSEC, and transfer/lock statuses. | $0.02 |
| creator-domain-check | Checks creator, newsletter, podcast, and community domains for age, expiry, registrar, DNSSEC, and suspicious new-registration flags. | $0.02 |
| dmarc-check | Audits a domain's email authentication posture: DMARC, SPF, and DKIM in one check. | $0.02 |
| dns-lookup | Full DNS lookup over Cloudflare 1.1.1.1 DNS-over-HTTPS. | $0.02 |
SEE ALSO