Hello @nicolas-grekas,

I played with this new calculation method and it gives an entropy that is approx +40% compare to the one I proposed.
I have no remark to be honest.

• A 8-chars password with [a-zA-Z0-9]+symbols has almost always a strength of 2, which is fine.
• A 10-chars ones gives 3
• With 12-chars or more I have 4
  Looks good to me 👌🏼.

Also, as noted by @stof in this #49868 (comment), the named argument of constriant should be at the end.
We could take the opportunity of this PR to move the argument $minScore.

We could take the opportunity of this PR to move the argument $minScore.

Right, updated!

it gives an entropy that is approx +40%

Thanks for checking. I think the new logic better accounts for things like mixing character case, symbols, and other and also duplicate chars.

Is it just me or does this feature seem to be tuned too harshly

I used the BitWarden random password generator to generate some random passwords and then ran it through this algorithm

%ba9J$3eTvqm -> 68 (Weak)
n54Pwq^Qq4CN -> 72 (Weak)
j*@CQ7$RHwuYPt -> 91 (Medium)
horse battery staple -> 99 (Medium)

Now out of all of those passwords, it makes no sense why horse battery staple would be stronger than the other three.
The first 3 I think anyone reasonable would consider strong/very strongm or at least medium... No way first one would be weak.

Hi,

Estimating the strength of a password is not so easy. And I must admit there is no standard way to achieve this.
With the iteration of this feature, the estimate was more tougher than this one and with the examples you shared, the results would be 43, 39, 53 and 71 respectively.
I submitted them to https://timcutting.co.uk/tools/password-entropy and the results are almost the same.
horse battery staple being safer than the other one seems to be counter intuitive, but the fact is that the strength is greatly influenced by the length

• Number of possibilities for a 20chars passphrase (e.g. horse battery staple) of a-z+space = 27^20 = 42x10^27
• Number of possibilities for a 14chars password (e.g. j*@CQ7$RHwuYPt) or all 97 writable chars on an ascii keyboard = 97^14 = 4x10^27

Nowadays, passwords with a length of 12 (~80 bytes entropy) or lower can be (statistically) guessed too easily and should be considered as risky. You can still adjust the threshold if needed.

Illustration source: https://www.hivesystems.io/blog/are-your-passwords-in-the-green (also, depends on the way the passwords are stored)