Password strength check should be disabled by default

In comment #32 of #432962: Add option to disable password strength checking @darioshanghai says:

Password checker should be optional and disabled.

- it's confusing to use
- it's not necessary. Even big websites don't have one (google? facebook? twitter?)
- it takes a split second to tick the appropriate tickbox to enable, while it can take an hour or two to figure out how to disable it

Speaking as unexperienced developer, it's very frustrating and incredibly time consuming to have to figure stuff out to REMOVE features. In my particular case I have tried for over one hour editing CSS and the damn thing, although invisible, is causing a blank space to appear all of a sudden under the password box, on drupal 7 with the included theme. (See image).

What's gonna happen is that I'll have to just live with it or accept a crappy theme until I learn how to hack the core. This is wrong.

Please consider simplicity a priority. Thank you.

I don't think it's confusing to use, I do think it's necessary as we want to encourage more security where we can.

If it's there and you want to find out how to disable it then we now have a solution for that once #432962: Add option to disable password strength checking has been committed. It will take a split second to disable whereas could take a lifetime to discover if you don't even know it's there so wouldn't even be asking how to switch it on.

Earlier in the discussion in comment #12 @Dries says:

In 95% of the cases, it _is_ useful to have the password strength check.

If we disable by default, the majority of users won't even know the functionality is there, and we want to be encouraging more security where we can.

I agree more with Dries that it is more useful than not, and provided there is an easy way to disable it, which #432962: Add option to disable password strength checking addresses, then we are ok and this issue should be set as closed (won't fix).

I disagree with the intent here. As stevepurkiss notes, most site builders won't even come across the option and it won't ever be turned on—which isn't the end of the world, but it's good to have. With the option to disable it, those who want to may, but it should not be disabled by default.

MBroberg made a legit point in this comment.

I have users that like using comfortable, familiar, easy passwords. They feel that the warnings force them to change to a difficult password, then they forget what it was, then they get upset that this is "required". A warning might be nice, but gentler, so that they don't feel like it is mandatory (they usually don't read fine print) .
So yes it is needed and should be up to the site designer.

I'd like to use his argument to make the case against disabling by default as we don't want the admin user to create a "comfortable, familiar, easy" password; we always want them to create a difficult - and thus, more secure - password and the indicator allows them to know immediately if their password meets that criteria.

If users really are getting confused then we should open another UX/UI issue to redesign the way the indicator is presented.