@dflinn Thank you for taking the time to respond. I hope that you (and anybody else involved in the development of this feature) will read the discussion that I linked above, and take it to heart.
The zxcvbn tool currently used by Bitwarden is slightly more sophisticated than some other calculators out there, but all such tools (tools based on analysis of user-supplied passwords) are fundamentally invalid, and will more frequently than not produce misleading results. The only valid way to determine password strength is to estimate password entropy based on the user-selectable settings that have been configured in the password generator (e.g., character sets and password length). An example of such a tool is the password strength calculator from the PasswordBits.com site. If the user enters their own typed password instead of using the generator, then the only feedback they should receive is a warning that their password may be weak (because its entropy is impossible to determine).
However, even if the entropy (essentially, a measure of the number of possible permutations that a password cracker would have to test in order to find the user’s password) has been correctly estimated, it is impossible to translate this into a valid judgment about whether the password is likely to be crackable or not, because the results of such analysis can vary by multiples of many billions, depending on what assumptions are made (and assumptions that may be valid for one password are not going to be valid for other passwords).
For example, Bitwarden’s current password strength calculator assumes that an attacker will only be able to test 10,000 password guesses every second. At this rate, a password that is a random 15-digit number (e.g., 291630688660687) would take an average of 1585 years to crack, and would presumably earn a rating of “Excellent” from the new tool — Bitwarden’s current password strength calculator assesses it as “strong” and claims it would take “centuries” to crack.
The problem with this conclusion is that a real hacker who is using a single high-end GPU (costing $2000 or less) is not limited to testing only 10,000 password guesses per second (the hash rate assumed by Bitwarden’s tool). If the website where the password hash was leaked from used MD5 hashing, then password cracking can be done at a rate of 164 billion guesses per second — which reduces average the time to crack to less than one hour. So, should Bitwarden really be in the business of telling this user that their password is “Excellent” and that they have achieved “maximum password strength”? 