People have a terrible habit of using the same password over and over and often times have no clue the password they use isn’t safe anymore. It’s also a common oversight to add this by most creators. Add a Setting to enable/disable of course.
I was chatting about this here: https://vote.classicpress.net/posts/39/please-add-enforce-strong-passwords-and-password-expiry-to-the-core
I think it is a great idea to support HIBP by default.
I’m generally of the mindset that if a plugin can handle it then it should but this seems like an underlying added layer of security not only for the site itself but also the end user. I’m not one for bloating the core hence why I came to ClassicPress.
Seems more a plugin territory and also create an issue of privacy because we share the email of the user to a different server.
No, a correct implementation of HIBP does not share any information about the user or the password to a different server.
If we implement this, we need to think about what happens if HIBP goes down one day.
Otherwise I think this should be a core feature.