[thefsb]

it's mostly good. NIST abolished their algo for pasword entropy estimation some time ago. i do not much like any password strength tests, most of which rate any number of terrible passwords as strong. as such i think they give a false sense of security. maybe consider cracklib.

as DenisM said, always use SSL for all traffic if security matters and don't trust SO for security advice.

[debacle]

The only really useful password strength test would be one that said "A stock Thinkpad would be able to brute force this password in $x hours and $y minutes."

Might make people think twice about that six character password.

[bigiain]

How about a response that says "we just googled that combination of email address and the md5 hash of that password, it's been listed in at least 7 different database disclosures, including the Gawker one, the Sony one, and 5 different pr0n site compromises. We suggest using a different password here."

;-)

[jvdongen]

That is only useful if you also specify yhe conditions under which the "cracking" takes place. Do you mean on-line password guessing? Or do you mean brute-forcing a hashed password leaked from a database?

In case 1 a lock-out policy would quite easily negate your attack. In case two the hashing algorithm used is often more important than the length and complexity of the password (up to a point of course, but that point is nowadays well beyond what's pactical for a user)

[leviathan]

I think you're expecting too much from users. They need to know what does "brute force"ing a password mean, what's a stock Thinkpad, and why it does matter.