What should I be doing when I can't force users to use a password manager?<p>So I understand you shouldn't be using hard rules, like including numbers, special symbols, and mixing upper and lowercase characters, as you can have a very weak password that passes those rules, or a very strong password entirely in lowercase. Nevertheless, one does need some sort of password validation to prevent technologically non-savvy users from entering trivially crackable passwords.<p>I've used dropbox's zxcvbn, but that is no longer maintained, and the ports to other languages are not reliable in my experience.<p>Is the have i been pwned API (https://haveibeenpwned.com/API/v3) the state-of-the-art?