We build Kratos and Oathkeeper self-hosted for our customers as part of our products. Some customers insist on running air-gapped from the Net so we cannot use HaveIBeenPawned directly. We also don't want to download the complete Pawned database and query it locally. To add a little more protection against silly passwords I have added a call to a simple entropy based validator https://github.com/wagslane/go-password-validator/blob/main/README.md Would Ory accept a PR?

I think the approach does add at least some benefit over not doing anything, although hibp definitely adds a lot more confidence. I'd be open to add this to Kratos.

Though I like the concept of plugability, I am not so keen on cleartext passwords being passed to webhooks.

sure, in your case couldn't you run all the stuff locally so it cannot really leak?

I have read more on this subject and realised I was being rather naive. I don't feel entropy is a useful measure. Without HiBP I think the best I can do is require longer passwords (14-16 chars) and attempt to educate users about good password choices. Thanks, and sorry for the noise.

yeah it might provide some useful measure, but I think it is rather small tbh