In addition to #15's requirement for a password strength validator, we should use a common password validator to prevent using simple passwords. The berzerk0/Probable-Wordlists repo has multiple wordlists from leaked passwords across services. By creating a bloom filter from these, we can do a two-pass validator:
Test against the bloom filter in-process in a password validator. This is a lightweight lookup but may have false positive matches.
If matching, test against an indexed wordlist, possibly with the index stored in a database.
In addition to #15's requirement for a password strength validator, we should use a common password validator to prevent using simple passwords. The berzerk0/Probable-Wordlists repo has multiple wordlists from leaked passwords across services. By creating a bloom filter from these, we can do a two-pass validator: