2.1.7 Password are checked against breached passwords

Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system’s password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. (C6)

Level 1 X
Level 2 X
Level 3 X
CWE NIST
521 5.1.1.2

Symfony

You can use the NotCompromisedPassword constraint.

Laravel

For Laravel you can use the Pwned Validator

Drupal

For Drupal 8 there is the Pwned Passwords module, and for Drupal 7 the Password HaveIBeenPwned module.