Evaluating Password Strength

When creating a wallet in the Leather extension, you’ll be asked to set a password. Some users have noticed that the extension sometimes rejects passwords that seem long or complex — and they’re right to ask why. This article explains how password strength is measured in Leather, why it can seem unpredictable, and what your options are.

We use zxcvbn — not a fixed set of rules

Leather uses zxcvbn-ts, a password strength estimator developed by Dropbox and ported to TypeScript. This library doesn’t rely on hard rules like “minimum 12 characters” or “must include a number.” Instead, it uses a model trained to estimate how long a password would take to crack using modern tools, factoring in real-world password data, keyboard patterns, and common substitutions.

For example, Tr0ub4dor&3 looks secure because it includes uppercase, lowercase, numbers, and a symbol. But zxcvbn knows this is a known pattern and rates it poorly. Meanwhile, a phrase like correct horse battery staple might be accepted because it has higher actual entropy, even without symbols or numbers.

This is why some passwords that appear strong get rejected — and some simpler-looking ones are accepted.

What this means in practice

• Leather does not use fixed character rules like "at least one uppercase letter."

• zxcvbn evaluates the entire string in context, not just length or complexity.

• Common patterns or predictable strings (like password123, qwerty, or even zxcvbn) are intentionally flagged as weak.

We know this can feel confusing, especially if you’re used to password systems that follow rigid but easy-to-understand rules. We chose zxcvbn because it encourages passwords that are actually harder to crack, not just harder to remember.

What your password is (and isn't) used for

Your password in the Leather extension is used to lock and unlock your specific browser instance of the wallet. It’s not used to generate your keypair or derive any cryptographic material. If you forget your password, you can reset the wallet and restore it using your Secret Key, then set a new password.

This means:

• You are never locked out of your funds as long as you have your Secret Key.

• Passwords can be changed by resetting and restoring the wallet.

• If you'd prefer not to use a password at all, using Leather with a Ledger hardware wallet skips password creation entirely (you’ll use the Ledger device’s pin code instead).

Why we haven't published specific rules

Since we don’t rely on a fixed set of requirements, there isn’t a “rule list” we can publish. But we agree that the system can seem opaque without context — and that’s why we’re sharing this explanation. If you're curious to experiment or want to learn more, you can try out the zxcvbn demo to see how different passwords are rated.

We hope this helps clarify how Leather handles password strength, and why we’ve taken this approach. Your feedback helps us improve, and we’re grateful to those who raise these questions.