Description
Internally, the constraint makes an HTTP request to the API provided by the haveibeenpwned.com website. In the request, the validator doesn’t send the raw password but only the few first characters of the result of encoding it using SHA-1.