@magicroundabout @AlexStandiford @schlessera @WPAleks @haveibeenpwned I don’t see how this could work since the @haveibeenpwned API stores SHA-1 hashes of plain text passwords but WordPress stores a hashed version of salted passwords. And the salt is different (usually) for every single WordPress site. See api.wordpress.org/secret-key/1.1…