User Gergely Nagy mentioned that it's possible it appeared in a data breach, but I don't think that's the case. Proton Pass considers "correct horse battery staple" to be Strong, while Bitwarden shows that passphrase has been exposed 192 times.

Select 14 characters in the random password generator and toggle on all advanced options. Generate repeatedly and you'll see about half of the generated passwords are considered "Weak" and half considered "Strong". This is not consistent or intuitive for the user.

This might have to do with how password entropy works.

https://proton.me/blog/what-is-password-entropy
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

I’m not much of an expert, but I can imagine that the password, or a part of it, by chance appeared in a data leak or otherwise contains a common sequence. If that’s the case, it would indeed make it weak because brute force attacks often start with these known sequences and try different variations, making it much less random than it seems. I don’t know if that’s the case here, but I could imagine.

I just testing this, and it does show it as weak. But maybe the problem is context telling why. Takes x GPUs x time to *****, reasonable ***** for single gpu person to ***** or x rented gpu per hr or company or nation state or theoretical 5 years from now.

It's also not possible to filter just the weak or just the vulnerable passwords in Pass Monitor. Since the number of weak passwords is so big, it's difficult to find the really vulnerable ones. A weakness rating per password from 1-10 would be helpful with the option to sort/filter by this value.

If you are going to object to a password, be more specific about the objection. Merely saying it is "weak" is not much of a hint. Also, the rules for a "weak" 7 character password should be different than those for a 14 character password. How about rules that are different for 8 characters vs. 16 vs. 24, etc? You could alter the algorithm such that the entropy of the character set decreases each time you misuse a character. Thus a password that uses the word "password" could be penalized by eliminating all the characters used in the word "password". Thus the character set decreases by 7 unique characters. Eliminating a 'p', 's', 'w', 'o', 'r' and 'd' from the character set is a better reflection of entropy than eliminating long, long passwords altogether. A better way to identify a weak password is not by penalizing individual violations, but by penalizing violations of the characters themselves.

The "Pass Monitor" tells me that about 400 passwords generated by Firefox (high entropy randomized strings) are weak. I do not believe it. This makes the warning useless.

I noticed this issue as well when coming from another password manager. Several passwords were marked as weak when they were 20 characters generated in the other password manager. Sometimes only changing one letter caused the password to change to strong from weak.