> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Password Strength Check

> Check password strength using the Stytch Vanilla JS SDK

export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";

`passwords.strengthCheck` wraps the [Strength Check](/api-reference/b2b/api/passwords/strength-check) Password API endpoint.

This endpoint allows you to check whether or not the <Tooltip tip={member}>Member's</Tooltip> provided password is valid based on the configuration set in your [Stytch Dashboard](https://stytch.com/dashboard/password-strength-config), and to provide feedback to the <Tooltip tip={member}>Member</Tooltip> on how to increase the strength of their password.

## Parameters

<ParamField path="password" type="string" required>
  The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.
</ParamField>

<ParamField path="email_address" type="string">
  The email associated with the password. Provide this for a more accurate strength check.
</ParamField>

### Response fields

<ResponseField name="valid_password" type="boolean">
  Returns true if the password passes our password validation. We offer two validation options, [zxcvbn](/multi-tenant-auth/authentication/passwords/strength-policy#zxcvbn) is the default option which offers a high level of sophistication. We also offer [LUDS](/multi-tenant-auth/authentication/passwords/strength-policy#luds)  which is less sophisticated but easier to understand. If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
</ResponseField>

<ResponseField name="score" type="number">
  The score of the password determined by [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between 1 and 4, a 3 or greater is required to pass validation.
</ResponseField>

<ResponseField name="strength_policy" type="string">
  The strength policy type enforced, either `zxcvbn` or `luds`.
</ResponseField>

<ResponseField name="breach_detection_on_create" type="boolean">
  Will return true if breach detection will be evaluated. By default this option is enabled. This option can be disabled in the [dashboard](https://stytch.com/dashboard/password-strength-config#breach-detection). If this value is false then `breached_password` will always be false as well.
</ResponseField>

<ResponseField name="breached_password" type="boolean">
  Returns true if the password has been breached. Powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
</ResponseField>

<ResponseField name="zxcvbn_feedback" type="object">
  The feedback object contains relevant information to relay to users that failed to create a strong enough password.

  <Expandable title="properties">
    <ResponseField name="warning" type="string">
      The warning message to display to the user.
    </ResponseField>

    <ResponseField name="suggestions" type="array">
      The suggestions to display to the user.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="luds_feedback" type="object">
  The feedback object contains relevant information to relay to users that failed to create a strong enough password.

  <Expandable title="properties">
    <ResponseField name="has_lower_case" type="boolean">
      Returns true if the password has a lowercase letter.
    </ResponseField>

    <ResponseField name="has_upper_case" type="boolean">
      Returns true if the password has an uppercase letter.
    </ResponseField>

    <ResponseField name="has_digit" type="boolean">
      Returns true if the password has a digit.
    </ResponseField>

    <ResponseField name="has_symbol" type="boolean">
      Returns true if the password has a symbol.
    </ResponseField>

    <ResponseField name="missing_complexity" type="number">
      Returns the number of complexity requirements that the password is missing.
    </ResponseField>

    <ResponseField name="missing_characters" type="number">
      Returns the number of characters that the password is missing.
    </ResponseField>
  </Expandable>
</ResponseField>

<RequestIdResponseField />

<StatusCodeResponseField />

<Panel>
  <RequestExample>
    ```javascript theme={null}
    import { StytchB2BClient } from '@stytch/vanilla-js/b2b';

    const stytch = new StytchB2BClient('public-token-test-b8c84de4-7d58-4ffc-9341-432b56596862');

    // Check password strength
    const checkStrength = async (password) => {
      const response = await stytch.passwords.strengthCheck({
        password: password,
        email_address: 'user@example.com',
      });

      console.log('Valid:', response.valid_password);
      console.log('Score:', response.score, '/4');
      if (response.breached_password) {
        console.log('Warning: Password has been breached!');
      }
    };

    checkStrength('testPassword123!');
    ```
  </RequestExample>
</Panel>