Reduce pwnedpassword check HTTP request time-out from 2 seconds to 1 second as this blocks the login request, the request should only take a few 10s of milliseconds, so fail faster instead of waiting
Add password test page, this tests all the ways a password could fail including methods which aren't enabled
If enabled for a user, prevents email 2fa from being disabled
For new installs add a "User has compromised password" user-group, and update the "User-group for compromised passwords" option to use it
Align defaults with NIST Password Guidelines for 2024
Update "New password validation rules" defaults. "Prevent passwords which contain the user's email or username, and the site's domain/name" defaults to true
