The usual way to determine strength of a specific password is to sacrifice a chicken and then read the entrails. But in 1Password, we do better. We compute the horoscope of the chicken before sacrificing it. Given that some of our staff are vegetarians, we are always looking for alternative approaches.
The sad fact of the matter is that accurate password strength meters are impossible (short of spending years or decades trying to crack the offered password). The reason is because the strength of a password depends largely on the system by which it was generated. That is not something that can be determined with confidence by inspected a single password.
So the password strength measure in 1Password uses the same sorts of heuristics that others do. It checks against a list of 10000 popular passwords. It looks for simple words and simple combinations. It is very sensitive to password length.
One reason why I'm hesitant to go into too much detail is because we tinker with the details. And we definitely tinker with the cut offs for various labels, such as "strong". The password strength meter in 1Password 2.5.9 (January 2008) is far more generous than the one today. So this is one of those parts of 1Password that are subject to change.
There are lots of things that we could do to make it stronger. We could use something like PACK password analysis and cracking kit to figure out the rules used for the most common passwords and then test submitted passwords against those rules. We could include the methods used by zxcvbn Dropbox Tech Blog – zxcvbn: realistic password strength estimation and there are other additional smarts we can build into the system.
The reason that we haven't been doing a lot of that is because of diminishing marginal returns. Each additional check we put in adds to code complexity and slows things down, but makes a relatively small improvement in actual results.
So the bad news is that no matter how clever you make your password strength meter, it's going to be limited in its accuracy. The good news, is that password strength meters, flawed as they are, help people select better passwords. It’s official: Password strength meters aren’t security theater
There is one improvement I'd like to see in our strength meter. It should distinguish between passwords created with 1Password's Strong Password Generator and everything else. For things created with the Strong Password Generator, we can calculate precise strength. And any, say, 16 character password created with our Password generator (even if limited to letters only) is going to be enormously stronger than any human created password.
But until then, we have to tune the generator under the assumption that people are making up the passwords being tested. This dramatically under reports the strength of passwords created with our password generator.