When you create your account password and your Master Key, Digital ID evaluates their strength. You can use a "good" or "strong" password for your account or as your Master Key, but how does Digital ID evaluate that?
Password strength can be measured in different ways. A common way to evaluate it is to look at how hard it might be to crack using brute force by taking into account the number of characters and the number of possibilities for each character (for exemple 26 with only lowercase letters, 62 for a mix of lowercase letters, uppercase letters and numbers, etc.). Evaluating strength in this way leads to encouraging users to add uppercase letters, numbers and symbols to their passwords. This increases the possible variations for each character, and therefore the difficulty to crack the password by brute-force. However, this is true only if the password consists of random sequences of letters, numbers and symbols (like the passwords generated by your Password Manager).
In practice, people use patterns like names, dictionary words, spatial patterns on their keyboards (like qwerty or zxcvbn), repetitions, or sequences. Uppercase letters are often the first letter, and numbers and symbols can also be predictable (l33t speak, years, dates, simply added at the end, …). As a result, encouraging users to add numbers and symbols only make passwords slightly harder to guess, but much harder for users to remember, particularly if they try to use different passwords for all their accounts. It also stops users from using long passphrases consisting only of random words, which would be both safe and easier to remember.
XKCD best summed-up the problem with this way of evaluating password strength:
To evaluate the strength of your password and of your Master Key (which will unlock all the passwords encrypted in your Password Manager), Digital ID uses ZXCVBN. This is an open-source password strength estimator inspired by password crackers that improves security and flexibility at password creation. Through pattern matching and conservative estimation, it recognizes and weighs common passwords, common names and surnames, popular words or phrases, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak. As a result, a password like "aaAA11!!" or "P@ssword1", which meet standard requirements (lowercase and uppercase letters, numbers and symbols) will be considered as weak. With ZXCVBN, Digital ID can also provide you with instant targeted feedback to help you improve your password and make it less guessable by increasing its complexity.
ZXCVBN allows for different styles of passwords. There is no unique format for "good" or "strong" passwords. These passwords simply present enough complexity: they can include words or passphrases as long as they are sufficiently uncommon, keyboard patterns are ranked based on length and number of turns and shifts along the way ("qwedsazxc" is a little more complex than "qwerty"), and capitalization adds more complexity when it's unpredictaBle.
In addition to evaluating the strength of your password or Master Key with ZXCVB, Digital ID checks them against a list of passwords previously exposed in a data leak as reported by haveibeenpwned ("compromised" passwords). To ensure you use the safest password possible, you will not be able to use "weak" or "compromised" combinations as your account password or your Master Key. If you're having trouble coming up with something suitable, simply follow the tips under the strength meter.