[x1798DE]

Not sure how this works, but if I were writing something that checks "goodness" of passwords, I'd want to check it against a large, sorted list of like the 100 million most common passwords (since almost anyone attackers would start with a dictionary attack, and 10-100 million passwords is decently quick to run against a weak key derivation function). Such a database would be huge, so you'd prefer to do that server-side.

[neura]

Look at the list of things they check. It shows you how they calculate the score for the password. The actual scoring is in fact done in JavaScript, which you can see when you inspect the page.

They want the password on the server side purely for statistics or some other reason that has nothing to do with scoring how "secure" the password is.

[nl]

Like dasmoth says, use a Bloom filter.

Or run the length and character checks in Javascript, then hash the password and send the hashed version for dictionary lookup.

[gpvos]

They don't seem to do a dictionary check at all.

[dasmoth]

Bloom filter?