Check passwords on haveibeenpwned.com

We should ideally not allow very simple passwords because someone else may just guess them. 

Upon a registration by password/set password/change password/reset password operation, check the password by sending its SHA1 to this API and fail the verification if its occurance count >= 2. 

https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByPassword