A brilliant - and also terrible - idea - for discussion only

[softwarecreations]

Why it's brilliant Search the first n characters of the password on a search engine. See how many results there are. That can be like as one of the password scores. (the more results, lower the score)

Why it's terrible The password will no longer be a secret if you send it to a search engine. This is probably a showstopper for the idea. You can limit the damage by only sending half of the password, or the first n words/tokens or whatever.

Inspired by the discussion in https://github.com/zxcvbn-ts/zxcvbn/issues/63 The reason I came up with the idea. Is if someone uses a password like maryhadalittlelambwhosfleecewaswhiteassnow or whatever, it would likely return a billion search results, even though zxcvbn as is would probably think it's an amazing password.

[MrWook]

Like you wrote it yourself you can't just send a password to search engine xy. This is just a no go. The HaveIBeenPwned matcher is already kind of shady but in that implementation you hash the password and only send the first 5 chars of the hash to them. But in general this is kind of covered by the common word and wikipedia dictionary. An option would be to search for google search engine lists and include them as a dictionary.

But if someone really wanna get insulted by privacy advocates the person could build a custom matcher for the search engines :D.