diff --git a/core/modules/system/system.module b/core/modules/system/system.module
index 4dd494e..a4985d1 100644
--- a/core/modules/system/system.module
+++ b/core/modules/system/system.module
@@ -1756,7 +1756,7 @@ function system_library_info() {
     'website' => 'https://github.com/lowe/zxcvbn',
     'version' => '1.0',
     'js' => array(
-      'core/assets/vendor/zxcvbn/zxcvbn.js' => array('group' => JS_LIBRARY, 'weight' => -20),
+      'core/assets/vendor/zxcvbn/zxcvbn.js' => array('group' => JS_LIBRARY),
     ),
   );
 
diff --git a/core/modules/user/user.js b/core/modules/user/user.js
index 3c5a4ae..b05ba6b 100644
--- a/core/modules/user/user.js
+++ b/core/modules/user/user.js
@@ -53,7 +53,7 @@ Drupal.behaviors.password = {
           }
 
           // Only show the description box if a weakness exists in the password.
-          passwordDescription.toggle(result.strength !== 4);
+          passwordDescription.toggle(result.strength < 3);
 
           // Adjust the length of the strength indicator, the zxcvbn library
           // will return a strength indicator from 0 (weak) to 4 (strong).
@@ -88,21 +88,23 @@ Drupal.behaviors.password = {
  * Returns the estimated strength and the relevant output message.
  */
 Drupal.evaluatePasswordStrength = function (password, translate) {
-  var indicatorText, indicatorColor, msg = [];
+  var indicatorText, indicatorColor, msg = [], emailName = '', emailDomain = '';
 
   var hasLowercase = /[a-z]+/.test(password);
   var hasUppercase = /[A-Z]+/.test(password);
   var hasNumbers = /[0-9]+/.test(password);
   var hasPunctuation = /[^a-zA-Z0-9]+/.test(password);
 
-  // If there is a username edit box on the page, compare password to that,
-  // otherwise use value from the database.
+  // Create a site specific vocabulary so personal info can be heavily
+  // penalized.
   var usernameBox = $('input.username');
   var username = (usernameBox.length > 0) ? usernameBox.val() : translate.username;
   var email = $('input[name="mail"], input[name="account[mail]"]').val();
-
-  // Add some items to the blacklist of available passwords.
-  var blacklist = [username, email];
+  if (email.lastIndexOf('@') > 0) {
+    emailName = email.substring(0, email.lastIndexOf('@'));
+    emailDomain = email.substring(email.lastIndexOf('@') + 1);
+  }
+  var blacklist = [username, email, emailName, emailDomain];
 
   // Work out the password strength.
   var result = zxcvbn(password, blacklist);
@@ -111,7 +113,7 @@ Drupal.evaluatePasswordStrength = function (password, translate) {
   if (result.match_sequence.length <= 1) {
     msg.push(translate.basedOnADictionaryWord);
   }
-  else if (result.match_sequence.length <= 2) {
+  else {
     msg.push(translate.addWords);
   }
   if (password.length < 6) {
@@ -135,6 +137,11 @@ Drupal.evaluatePasswordStrength = function (password, translate) {
     msg.push(translate.sameAsUsername);
   }
 
+  // Check if password is the same as the email address.
+  if (password !== '' && password.toLowerCase() === email.toLowerCase()) {
+    msg.push(translate.sameAsEmail);
+  }
+
   // Based on the strength, work out what text should be shown by the password
   // strength meter.
   switch (result.score) {
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 4bde894..72bcd6b 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -1720,6 +1720,7 @@ function user_form_process_password_confirm($element) {
       'addNumbers' => t('Add numbers'),
       'addPunctuation' => t('Add punctuation'),
       'sameAsUsername' => t('Make it different from your username'),
+      'sameAsEmail' => t('Make it different from your email address'),
       'weak' => t('Weak'),
       'fair' => t('Fair'),
       'good' => t('Good'),