This allows securely checking if a password has likely been compromised without sharing the password.
See Validating Leaked Passwords with k-Anonymity for details. Warning; contains Maths.
If the API fails, the password is blocked with a generic error message (as it does not log the stack trace as this would leak the user's password into the error log).
Caches API results for at least a day
Pwned password reports the number of breaches, and there is an admincp option to use this to determine if a password is compromised.
New Password checks option.
Allows zxcvbn & pwned password support to be independantly disabled
Only show 'too short' password strength phrase if there is any password
Only show 'password matching' indicator between password/confirmed password fields if there is any password.
Rework failed password reporting to be more consistent
Enable password complexity for admins in admincp
Applies to admin edits.
Default disabled
Now maintained by Xon
Installer enforces minimum php 5.4+ version
Rewrite password-meter javascript to reliably find the fields it needs to hook into.
Add password-meter to admincp page when setting a user password
Option to not enforce password complexity rules for setting a user password via the admincp
Add password-meter to lost password page
Use "async" attribute for external scripts, removing the polyfill.
Sorry pre-IE11, go die in a fire.
For ancient browsers, they will ignore the attribute and block the page while downloading the zxcvbn script.