This plugin makes use of the "Have I Been Pwned" password checker API, with the aim of improving password security for your site's users by preventing them from using a password that is known to have been compromised.
HaveIBeenPwned.com contains an archive of user credentials that have been made public after being hacked, and allows anyone to query the database to find out whether their credentials have been compromised.
For the purposes of validating a new password, the API can be used to determine whether the password being entered has already been compromised. If the requested password already exists in the HaveIBeenPwned database, it should be assumed to be insecure, because many hacking attempts will use existing known credentials when attempting to crack new passwords.
In addition, the API also returns the number of times that the specified password exists in the database. This can also be used to establish the security (or lack thereof) of a given password; if it exists many times in the database, then it is clearly a commonly used password, and thus vulnerable to attack even if it successfully passes the conventional complexity tests.
The "Have I Been Pwned" API is operated by noted security researcher Troy Hunt and is made available for free. It is recommended and used by major companies, governments and security agencies. It is secure to use because the way it works means that it never sends or receives a password, not even an encrypted or hashed one; only partial hashes are transmitted to it for it to check; this is not enough to identify a password.