There are already many typical notifications when you create a password (telling how weak or strong your passwords is, mostly by counting number of characters and use of variaton). This should be easy to implement (I guess these are available as open source packages).
Personally, I believe
- It is not really our task to educate (by force) the users in picking good passwords.
- Those simple strength measures are not that accurate, and they already perceive a password as strong when a suffix or prefix number is added or a capital is added at the beginning or the end (which is not really large randomness).
- Actively brute-forcing is not necessary, you just need to verify the characteristics of the password. You do no really have to brute-force it. (possibly that specific site decided to test passwords retroactively - when they only have the hashed but not the real password - but when you test the passwords at the moment they are created you do not need to brute-force them)
- Codidact is not your online bankaccount.
- Websites with restrictive passwords annoy me massively (either they accept too little characters or do not allow sufficient length - although this occurs much less now - or they enforce you to obligatory use more than you typically use). If a person desires to use a XKCD-style ( MVP: Account database scheme suggestion - #35 by manassehkatz ) password sentence of 25 characters length, then why would we dismiss that. Let users use what they wish to use (it might be even more secure than us meddling with their trusted methods and creating confusion).