Tiny Password Checker Outperforms bloated zxcvbn in Speed, Same Accuracy
For years, most sign-up forms have carried a 389 KB password-strength library just to weed out “password123.” That’s 389 KB of JavaScript landing in every mobile browser—slowing pages, spiking bounce rates, and barely improving security. Now a 3 KB drop-in replacement does the same job, in the same way, with the same detection rate, but finishes loading before the user’s finger lifts from the screen.
From 389 KB to 3 KB—same breach hits, zero extra load
zxcvbn has ruled the npm registry for years, clocking over a million weekly downloads. Yet it hasn’t seen a commit since 2017, and its 389 KB gzipped payload still parses a 40,000-word dictionary on every cold start. The new library, passcore, carries a 3 KB gzipped footprint and matches zxcvbn’s 98.4 % detection rate against live breach lists from RockYou, Adobe, and Have I Been Pwned. Benchmarks show it initializes in ~0.2 ms—roughly 500 times faster—and scores a password in about 2,600 ns, making it effectively invisible to Core Web Vitals.
Five layers, not one giant dictionary
Instead of shipping every possible English word, passcore sources its dictionary directly from real leaks. It then runs five lightweight detectors in sequence: dictionary match, keyboard patterns (qwerty, 1234), repeated characters (aaaa), sequential runs (abcdef, 123456), and leetspeak decoding. The scoring scale remains 0–4, but the model adds a length floor aligned with NIST SP 800-63B: 20+ characters scores at least 3, 30+ characters scores 4 regardless of character variety.
Real-world patterns finally handled
During development, simple patterns like Password1! or Admin123 kept slipping through because no dictionary contained them verbatim. The fix was a common-root matcher that strips leading and trailing non-alphanumeric characters and checks the remaining word. Another challenge was leetspeak with separators (“N0=Acc3ss”), which a naive decoder would miss. Splitting decoded segments on non-letters solved that. Finally, the five most abused root words—admin, test, user, login, pass—were added after breach data revealed they were missing.
For teams tired of trading user experience for marginally better security, swapping zxcvbn for passcore is a one-line change that can shave hundreds of kilobytes and milliseconds off every page load.
Source: DEV Community. AI-assisted editorial synthesis — TechnoExpress.