This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and numbers, but on how easy they are to crack in reality. To increase the safety of your users account, you can force them to use passwords of a minimum length, minimum strength and even force them to exclude certain words from their passwords (like your site name, the topic your site refers to, etc.). But the other side of the equation, is no matter how secure the password is, if it has been compromised not password strength estimator will help make it better. As such NIST has the following guidance: check passwords against those obtained from previous data breaches. Pwned Password integration does that.