@chilimatic described the basics in great detail and lots of simple strength checkers work like that. You can improve the strength checker by
- adding password entropy calculations, which defines the password strength in bits
- adding a blacklist of passwords, which contains most-used passwords
- adding variety-checks, which do common transformations on the blacklisted passwords and add those to the blacklist (for example changing
a to @)
- making sure the password does not contain the user name
In general, just think like a person who wants to crack into an account. What kind of stuff would you try?