Is there a legit reason to do this? I can’t think of anything beyond bad developers.
I can imagine a scenario in which it would test the field on form submit, somebody in QA filed a bug that they didn’t get instant feedback, and the developer said, fine, fuck it.
I’m not paid to make it good. I’m paid to make it done.
I use https://github.com/dropbox/zxcvbn which is implemented in all sorts of languages (including JS). Even if the client-side implementation isn’t perfect, it’s WAY better than doing round trips to a server for a mere hint, and the logging of GET requests is a huge security problem IMO.
“Our proprietary security maximizing algorithm must be confidentially protected blah blah.”