The website haveibeenpwned.com provides, among other things, a list of passwords that have appeared in data leaks.
haveibeenpwned is secure
For verification, the complete password is never sent, but only a small partial hash value.
The pwned passwords function used searches the database of previous data leaks for the presence of a user-supplied password. The password is hashed using the SHA-1 algorithm and only the first 5 characters of the hash are sent.
Integration with ISPConfig
In the Main Config section you can set the maximum number of entries a password may have when querying the haveibeenpwned database in the “Misc” tab.
If a password is entered that is in the database more times than you have allowed, a hint is displayed and the password cannot be used.