Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
Update new install option defaults to more recommend values:
Enforce password complexity for admins
Enable "Length check by default, and set the "Minimum length" to 8
Enable "Pwned password password validation" by default