Check haveibeenpwned API during password reset and account creation

[TheLastCicada]

Is your enhancement related to a problem? Please describe.
Attacks on the wp-login brute forcing or using a compromised username and password is the most common way a site will get hacked. Password re-use, where a username and password is used on multiple websites, is a common user behavior and can lead to a WordPress user's account being compromised based on a hack on a separate site. The 10up experience plugin already forces stronger passwords be used, but we should continue to look for ways to protect users and help them choose passwords that will keep their site secure.

Describe the solution you'd like
Haveibeenpwned maintains a database of usernames and passwords that have been exposed in previous hacks https://haveibeenpwned.com/API/v3. When creating a user account or resetting a password, we can make a call to this API to determine if this exact username and password is insecure because it has been exposed in a previous hack. We could also make a call to this API during the login process, but we'd want to set a flag to avoid having to check the same user over and over if we've already checked that their credentials are fine. Maybe that flag should expire monthly or every 3 months to do a recheck as the haveibeenpwned database updates with newer hacks. Checking at account creation and password reset seems to be the best starting point.

There's some existing plugins that we can reference for how to implement this. None of them do exactly what I think we need, but they get close.

https://wordpress.org/plugins/signup-breach-checker/
https://wordpress.org/plugins/user-email-compromised-check/
https://wordpress.org/plugins/disallow-pwned-passwords/
https://wordpress.org/plugins/better-passwords/ (features on this one are pretty good)