I shared some code here to check a password against the list of known breached passwords via the haveibeenpwned API. This will require an internet connection but after you verify password requirements it’s a good final-check before allowing the user to select a particular password.