What does the Password Strength Checker API analyse?

The API evaluates passwords using entropy calculations, character composition analysis, pattern detection, known breach intelligence, real-world attack models, and NIST 800-63 guidance.

Does the API check breached passwords?

Yes. Passwords are checked against known breach datasets using a privacy-preserving k-anonymity model powered by Have I Been Pwned.

Are passwords stored or logged?

No. Passwords are analysed in memory only and are never stored, logged, or retained.

Is this suitable for authentication flows?

Yes. The API is designed for signup validation, password rotation policies, security audits, and automated enforcement pipelines.

Developer Interface

Password Strength Checker API

Analyse password strength using entropy scoring, breach intelligence, pattern detection, attack modelling, and NIST 800-63 compliance checks.

The Velohost Password Strength Checker API provides a comprehensive, security-focused assessment of passwords beyond basic length or character rules.

It combines entropy analysis, pattern detection, breach intelligence, real-world attack modelling, and standards-based compliance checks to determine whether a password is safe for modern authentication systems.

Base API URL

All endpoints listed below are relative to this base URL.

Base API URL https://api.velohost.co.uk/password-strength/

Rate limiting

This API is protected by a global rate limit to ensure fair usage and platform stability.

Limit: 30 requests per 10 seconds per IP address
Burst traffic is allowed
No authentication required
Requests exceeding the limit return HTTP 429

This limit applies across all Velohost public APIs.

Error Responses

The API uses standard HTTP status codes to indicate errors.

429 Too Many Requests

Returned when the global rate limit is exceeded.

{
  "detail": "Rate limit exceeded"
}

400 Bad Request

Returned when the password field is missing or invalid.

Endpoints

Check Password Strength

Analyses a password and returns strength classification, entropy, detected patterns, breach exposure, attack feasibility, and NIST 800-63 compliance status.

Request

POST /check

Request

{
  "password": "V3ryStr0ngP455w04d123!"
}

Response

 {
  "length": 22,
  "entropy_bits": 144.2,
  "strength": "very strong",
  "score": 4,
  "overall_risk": "low",

  "composition": {
    "lowercase": true,
    "uppercase": true,
    "digits": true,
    "symbols": true
  },

  "patterns": {
    "repeats": false,
    "sequences": true,
    "keyboard": false,
    "substitutions": false,
    "warnings": [
      "Sequential characters detected"
    ]
  },

  "warnings": [
    "Sequential characters detected"
  ],

  "attack_models": {
    "brute_force": {
      "guesses_per_second": 10000000000,
      "average_time_seconds": 1.2816893733187982e+33,
      "estimated_time": "effectively uncrackable with current technology",
      "model": "random brute force"
    },
    "dictionary_attack": {
      "risk": "unknown",
      "based_on": "known password breaches"
    }
  },

  "have_i_been_pwned": {
    "found": false,
    "times_seen": 0,
    "provider": "Have I Been Pwned",
    "privacy_model": "k-anonymity",
    "confidence": "high"
  },

  "nist_800_63": {
    "min_length_8": true,
    "breached_password_check": true,
    "composition_rules_required": false,
    "compliant": true
  }
}

Learn more

Explore the tool, documentation, and guides.

Use The Password Strength Checker Password Strength FAQs