Consider including password_policy_pwned in password_policy

Problem/Motivation

password_policy_blacklist could be useful, but it gives no guidance on how to source a blacklist (deny list) and those lists can be tens of thousands of entries long, which would be a pain to manage in config.

password_policy_pwned solves for that by utilizing a stable API for checking passwords against a millions-of-passwords large database of pwned passwords. This would provide a much more robust deny list capability. It's a small but mighty module that seems like it would require very little additional maintenance.

Steps to reproduce

1. Install password_policy_blacklist
2. Try to figure out what to do next
3. End up sad with no items but "admin" and "password" on your blacklist.

Proposed resolution

Merge password_policy_pwned into the password policy module, instantly boosting its power exponentially!

Remaining tasks

Discuss with the password_policy_pwned owner.

User interface changes

API changes

Data model changes