diff --git a/auth_password_pwned/README.rst b/auth_password_pwned/README.rst
new file mode 100644
index 0000000000..75910f9ded
--- /dev/null
+++ b/auth_password_pwned/README.rst
@@ -0,0 +1,100 @@
+====================
+Password Pwned Check
+====================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:8ef5c3ff5b64085cdfcd667aed1caed570703d9eb90128e264c47f6967a2de9d
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/15.0/auth_password_pwned
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_password_pwned
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=15.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module enforces passwords to be changed once the have appeared in a data breach.
+
+It uses https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange to check if the password has appeared in any
+data breaches. A great resource provided by Troy Hunt https://haveibeenpwned.com/About .
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+ir.config_parameter options
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following config parameters change the behaviour of this addon.
+
+``auth_password_pwned.range_url`` *string* (Default: https://api.pwnedpasswords.com/range/)
+
+  Change the url the plugins checks hashes against. Needs to behave like described in
+  https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange . This is intended to be used for a company mirror
+  of the API.
+
+Usage
+=====
+
+Install the plugin to force the users to change their password once it is considered to be publicly known.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_password_pwned%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* WT-IO-IT GmbH
+
+Contributors
+~~~~~~~~~~~~
+
+
+* `WT-IO-IT GmbH <https://www.wt-io-it.at>`_:
+    * Andreas Perhab <andreas.perhab@wt-io-it.at>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/15.0/auth_password_pwned>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_password_pwned/__init__.py b/auth_password_pwned/__init__.py
new file mode 100644
index 0000000000..91c5580fed
--- /dev/null
+++ b/auth_password_pwned/__init__.py
@@ -0,0 +1,2 @@
+from . import controllers
+from . import models
diff --git a/auth_password_pwned/__manifest__.py b/auth_password_pwned/__manifest__.py
new file mode 100644
index 0000000000..8df8271218
--- /dev/null
+++ b/auth_password_pwned/__manifest__.py
@@ -0,0 +1,20 @@
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+{
+    "name": "Password Pwned Check",
+    "summary": "Prevent using pwned passwords.",
+    "version": "15.0.1.0.0",
+    "author": "WT-IO-IT GmbH, Odoo Community Association (OCA)",
+    "category": "Base",
+    "depends": [],
+    "website": "https://github.com/OCA/server-auth",
+    "external_dependencies": {},
+    "license": "AGPL-3",
+    "data": [],
+    "assets": {
+        'web.assets_tests': [
+            'auth_password_pwned/static/tests/tours/**/*',
+        ],
+    },
+    "demo": [],
+    "installable": True,
+}
diff --git a/auth_password_pwned/controllers/__init__.py b/auth_password_pwned/controllers/__init__.py
new file mode 100644
index 0000000000..e07a9f0cbc
--- /dev/null
+++ b/auth_password_pwned/controllers/__init__.py
@@ -0,0 +1,3 @@
+from . import main
+# TODO only in tests
+from . import test_controllers
diff --git a/auth_password_pwned/controllers/main.py b/auth_password_pwned/controllers/main.py
new file mode 100644
index 0000000000..727f3ecebe
--- /dev/null
+++ b/auth_password_pwned/controllers/main.py
@@ -0,0 +1,85 @@
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+
+import logging
+
+from odoo import _, http
+from odoo.http import request
+
+from odoo.addons.web.controllers.main import Home
+
+_logger = logging.getLogger(__name__)
+
+
+class AuthPasswordPwnedHome(Home):
+    def _auth_signup_is_installed(self):
+        return bool(
+            request.env["ir.module.module"]
+            .sudo()
+            .search(
+                [("name", "=", "auth_signup"), ("state", "in", ["installed"])], limit=1
+            )
+        )
+
+    def _reset_password_enabled(self):
+        return (
+            request.env["ir.config_parameter"]
+            .sudo()
+            .get_param("auth_signup.reset_password")
+            == "True"
+        )
+
+    @http.route()
+    def web_login(self, *args, **kw):
+        pwned = False
+        reset_pw_after_validation = False
+        if "password" in kw and request.env.user._passwordhasbeenpwned(kw["password"]):
+            if self._auth_signup_is_installed():
+                if self._reset_password_enabled():
+                    # prevent login with a pwned password and force user to reset it
+                    kw["password"] = ""
+                    request.params["password"] = ""
+                    pwned = _(
+                        "This password is known by third parties please reset it and"
+                        " use a different password."
+                    )
+                else:
+                    # prepare to hint the user to their email
+                    # reset the password after it has been validated
+                    reset_pw_after_validation = True
+                    pwned = _(
+                        "This password is known by third parties an email has been"
+                        " sent with instructions how to reset it."
+                    )
+
+            else:
+                # display a login message and tell the user they should contact the admin
+                # to start a safe password change procedure
+                kw["password"] = ""
+                request.params["password"] = ""
+                pwned = _(
+                    "This password is known by third parties please contact an"
+                    " administrator how to get a new one."
+                )
+        response = super().web_login(*args, **kw)
+        if reset_pw_after_validation and request.params.get("login_success"):
+            # do not allow user to continue and send them a reset password email
+            request.params["login_success"] = False
+            request.session.logout(keep_db=True)
+            try:
+                request.env["res.users"].sudo().reset_password(kw["login"])
+            except Exception as e:
+                # Log the exception and continue to tell the "user" an email has been sent.
+                # reset_password only throws an exception if the login is not correct
+                # / not active so this is most likely someone guessing usernames.
+                _logger.error(
+                    _("Could not reset password for {login}: {exception}").format(
+                        login=kw["login"], exception=e
+                    )
+                )
+            # make the response render the login with our error message
+            kw["password"] = ""
+            request.params["password"] = ""
+            response = super().web_login(*args, **kw)
+        if pwned:
+            response.qcontext["error"] = pwned
+        return response
diff --git a/auth_password_pwned/controllers/test_controllers.py b/auth_password_pwned/controllers/test_controllers.py
new file mode 100644
index 0000000000..90f37e6eaa
--- /dev/null
+++ b/auth_password_pwned/controllers/test_controllers.py
@@ -0,0 +1,12 @@
+from odoo.http import Controller, route, Response
+
+KNOWN_HASHES=[]
+
+
+class TestRangeController(Controller):
+
+    @route("/auth_password_pwned/range/<string:range>", type="http", auth="none")
+    def test_pwned_range(self, range):
+        return Response("\n".join([
+            f"{k[len(range):]}:1" for k in KNOWN_HASHES if k.startswith(range)
+        ]), content_type="text/plain", status=200)
diff --git a/auth_password_pwned/models/__init__.py b/auth_password_pwned/models/__init__.py
new file mode 100644
index 0000000000..8835165330
--- /dev/null
+++ b/auth_password_pwned/models/__init__.py
@@ -0,0 +1 @@
+from . import res_users
diff --git a/auth_password_pwned/models/res_users.py b/auth_password_pwned/models/res_users.py
new file mode 100644
index 0000000000..46de82666a
--- /dev/null
+++ b/auth_password_pwned/models/res_users.py
@@ -0,0 +1,63 @@
+import hashlib
+import logging
+
+import requests
+
+from odoo import _, models
+from odoo.exceptions import UserError
+
+_logger = logging.getLogger(__name__)
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    def _set_password(self):
+        self._passwordshavebeenpwned(self.mapped("password"))
+
+        return super()._set_password()
+
+    def _passwordshavebeenpwned(self, passwords):
+        for password in passwords:
+            if self._passwordhasbeenpwned(password):
+                raise UserError(
+                    _("Password is already pwned and can no longer be used.")
+                )
+
+    def _passwordhasbeenpwned(self, password):
+        params = self.env["ir.config_parameter"].sudo()
+        api_url = params.get_param(
+            "auth_password_pwned.range_url",
+            default="https://api.pwnedpasswords.com/range/",
+        )
+        if api_url[-1] == "/":
+            api_url = api_url[:-1]
+
+        password_hash = hashlib.sha1(password.encode("utf-8")).hexdigest().upper()
+        try:
+            r = requests.get(
+                "{api_url}/{hash}".format(api_url=api_url, hash=password_hash[:5]),
+                headers={
+                    "User-Agent": "Odoo OCA auth_password_pwned"
+                    " https://github.com/OCA/server-auth",
+                },
+            )
+            r.raise_for_status()
+            response = r.text
+            return password_hash[5:] in response
+        except (
+            requests.exceptions.HTTPError,
+            requests.exceptions.RequestException,
+        ) as error:
+            if self.env.user.has_group("base.group_system"):
+                # for admins display a message for them being able to fix the issue
+                raise UserError(
+                    _(f"{api_url} cannot be reached: {error}").format(api_url, error)
+                ) from error
+            else:
+                # for other users log a warning
+                _logger.warning(
+                    _(f"{api_url} cannot be reached: {error}").format(api_url, error)
+                )
+                # and let them log into the system (if they have the correct password)
+                return False
diff --git a/auth_password_pwned/readme/CONFIGURE.rst b/auth_password_pwned/readme/CONFIGURE.rst
new file mode 100644
index 0000000000..2411475f36
--- /dev/null
+++ b/auth_password_pwned/readme/CONFIGURE.rst
@@ -0,0 +1,10 @@
+ir.config_parameter options
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following config parameters change the behaviour of this addon.
+
+``auth_password_pwned.range_url`` *string* (Default: https://api.pwnedpasswords.com/range/)
+
+  Change the url the plugins checks hashes against. Needs to behave like described in
+  https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange . This is intended to be used for a company mirror
+  of the API.
diff --git a/auth_password_pwned/readme/CONTRIBUTORS.rst b/auth_password_pwned/readme/CONTRIBUTORS.rst
new file mode 100644
index 0000000000..405e62b912
--- /dev/null
+++ b/auth_password_pwned/readme/CONTRIBUTORS.rst
@@ -0,0 +1,3 @@
+
+* `WT-IO-IT GmbH <https://www.wt-io-it.at>`_:
+    * Andreas Perhab <andreas.perhab@wt-io-it.at>
diff --git a/auth_password_pwned/readme/DESCRIPTION.rst b/auth_password_pwned/readme/DESCRIPTION.rst
new file mode 100644
index 0000000000..568d00c728
--- /dev/null
+++ b/auth_password_pwned/readme/DESCRIPTION.rst
@@ -0,0 +1,4 @@
+This module enforces passwords to be changed once the have appeared in a data breach.
+
+It uses https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange to check if the password has appeared in any
+data breaches. A great resource provided by Troy Hunt https://haveibeenpwned.com/About .
diff --git a/auth_password_pwned/readme/USAGE.rst b/auth_password_pwned/readme/USAGE.rst
new file mode 100644
index 0000000000..392e8ceb7a
--- /dev/null
+++ b/auth_password_pwned/readme/USAGE.rst
@@ -0,0 +1 @@
+Install the plugin to force the users to change their password once it is considered to be publicly known.
diff --git a/auth_password_pwned/static/description/index.html b/auth_password_pwned/static/description/index.html
new file mode 100644
index 0000000000..2e87957d0c
--- /dev/null
+++ b/auth_password_pwned/static/description/index.html
@@ -0,0 +1,450 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>Password Pwned Check</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="password-pwned-check">
+<h1 class="title">Password Pwned Check</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:8ef5c3ff5b64085cdfcd667aed1caed570703d9eb90128e264c47f6967a2de9d
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/15.0/auth_password_pwned"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_password_pwned"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=15.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>This module enforces passwords to be changed once the have appeared in a data breach.</p>
+<p>It uses <a class="reference external" href="https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange">https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange</a> to check if the password has appeared in any
+data breaches. A great resource provided by Troy Hunt <a class="reference external" href="https://haveibeenpwned.com/About">https://haveibeenpwned.com/About</a> .</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#configuration" id="toc-entry-1">Configuration</a><ul>
+<li><a class="reference internal" href="#ir-config-parameter-options" id="toc-entry-2">ir.config_parameter options</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#usage" id="toc-entry-3">Usage</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-4">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-5">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-6">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-7">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-8">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="configuration">
+<h1><a class="toc-backref" href="#toc-entry-1">Configuration</a></h1>
+<div class="section" id="ir-config-parameter-options">
+<h2><a class="toc-backref" href="#toc-entry-2">ir.config_parameter options</a></h2>
+<p>The following config parameters change the behaviour of this addon.</p>
+<p><tt class="docutils literal">auth_password_pwned.range_url</tt> <em>string</em> (Default: <a class="reference external" href="https://api.pwnedpasswords.com/range/">https://api.pwnedpasswords.com/range/</a>)</p>
+<blockquote>
+Change the url the plugins checks hashes against. Needs to behave like described in
+<a class="reference external" href="https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange">https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange</a> . This is intended to be used for a company mirror
+of the API.</blockquote>
+</div>
+</div>
+<div class="section" id="usage">
+<h1><a class="toc-backref" href="#toc-entry-3">Usage</a></h1>
+<p>Install the plugin to force the users to change their password once it is considered to be publicly known.</p>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#toc-entry-4">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_password_pwned%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#toc-entry-5">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#toc-entry-6">Authors</a></h2>
+<ul class="simple">
+<li>WT-IO-IT GmbH</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#toc-entry-7">Contributors</a></h2>
+<ul class="simple">
+<li><dl class="first docutils">
+<dt><a class="reference external" href="https://www.wt-io-it.at">WT-IO-IT GmbH</a>:</dt>
+<dd><ul class="first last">
+<li>Andreas Perhab &lt;<a class="reference external" href="mailto:andreas.perhab&#64;wt-io-it.at">andreas.perhab&#64;wt-io-it.at</a>&gt;</li>
+</ul>
+</dd>
+</dl>
+</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#toc-entry-8">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/auth_password_pwned">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>
diff --git a/auth_password_pwned/static/tests/tours/change_password_test_tour_pwned.js b/auth_password_pwned/static/tests/tours/change_password_test_tour_pwned.js
new file mode 100644
index 0000000000..215289ed9f
--- /dev/null
+++ b/auth_password_pwned/static/tests/tours/change_password_test_tour_pwned.js
@@ -0,0 +1,62 @@
+/** @odoo-module **/
+
+import tour from 'web_tour.tour';
+
+/**
+ * This tour depends on data created by python test in charge of launching it.
+ * It is not intended to work when launched from interface.
+ * @see auth_password_pwned/tests/test_auth_password_pwned.py
+ */
+tour.register('auth_password_pwned/static/tests/tours/change_password_test_tour_pwned.js', {
+    test: true,
+}, [{
+    content: "Open Settings",
+    trigger: ".o_app.o_menuitem:contains('Settings')",
+}, {
+    content: "Open Users & Companies Dropdown",
+    trigger: ".o_main_navbar .o_menu_sections .o-dropdown:contains('Users & Companies') button",
+}, {
+    content: "Open Users Lists",
+    trigger: ".o_main_navbar .o_menu_sections .o-dropdown:contains('Users & Companies') .dropdown-item:contains('Users')",
+}, {
+    content: "Wait for users list to start loading",
+    trigger: "body:contains('Loading')",
+    run: () => null,
+}, {
+    content: "Wait for loaded users list",
+    trigger: "body:not(:contains('Loading'))",
+    run: () => null,
+}, {
+    content: "Select Demo User",
+    trigger: ".o_content tr:contains('Demo') .o_list_record_selector",
+}, {
+    content: "Wait for Demo User to be selected",
+    trigger: ".o_content tr:contains('Demo') input[type='checkbox']:checked",
+    run: () => null,
+}, {
+    content: "Open Actions Menu",
+    trigger: ".o_action_manager button:contains('Action')",
+}, {
+    content: "Open Change Passwords Dialog",
+    trigger: ".o_action_manager .dropdown.show a.dropdown-item:contains('Change Password')",
+}, {
+    content: "Enable input for setting Pwned Password",
+    trigger: ".modal-content tr:contains('demo')",
+    run: function(actions) {
+        var i=0;
+        while(this.$anchor.find("input[name='new_passwd']").length <= 0) {
+            actions.click(this.$anchor.find("div"));
+            i++;
+            if (i > 1000) assert(false);
+        }
+    }
+}, {
+    content: "Set Pwned Password",
+    trigger: ".modal-content tr:contains('demo') input[name='new_passwd']",
+    run: "text demo",
+}, {
+    content: "Change Password",
+    trigger: ".modal-footer btn-primary",
+}, {
+    //TODO verify that alert is shown
+}]);
diff --git a/auth_password_pwned/static/tests/tours/login_test_tour_ok.js b/auth_password_pwned/static/tests/tours/login_test_tour_ok.js
new file mode 100644
index 0000000000..661902da67
--- /dev/null
+++ b/auth_password_pwned/static/tests/tours/login_test_tour_ok.js
@@ -0,0 +1,28 @@
+/** @odoo-module **/
+
+import tour from 'web_tour.tour';
+
+/**
+ * This tour depends on data created by python test in charge of launching it.
+ * It is not intended to work when launched from interface.
+ * @see auth_password_pwned/tests/test_auth_password_pwned.py
+ */
+tour.register('auth_password_pwned/static/tests/tours/login_test_tour_ok.js', {
+    test: true,
+}, [{
+    content: "Set login",
+    trigger: ".oe_login_form #login",
+    run: "text testuser",
+}, {
+    content: "Set password",
+    trigger: ".oe_login_form #password",
+    run: "text testuser",
+}, {
+    content: "Login to backend",
+    trigger: ".oe_login_form button[type='submit']",
+}, {
+    content: "Check that backend is loading",
+    trigger: ".o_web_client",
+    // We are checking the error message here
+    run: () => null,
+}]);
diff --git a/auth_password_pwned/static/tests/tours/login_test_tour_pwned.js b/auth_password_pwned/static/tests/tours/login_test_tour_pwned.js
new file mode 100644
index 0000000000..8f98ec7e6d
--- /dev/null
+++ b/auth_password_pwned/static/tests/tours/login_test_tour_pwned.js
@@ -0,0 +1,28 @@
+/** @odoo-module **/
+
+import tour from 'web_tour.tour';
+
+/**
+ * This tour depends on data created by python test in charge of launching it.
+ * It is not intended to work when launched from interface.
+ * @see auth_password_pwned/tests/test_auth_password_pwned.py
+ */
+tour.register('auth_password_pwned/static/tests/tours/login_test_tour_pwned.js', {
+    test: true,
+}, [{
+    content: "Set login",
+    trigger: ".oe_login_form #login",
+    run: "text testpassword",
+}, {
+    content: "Set password",
+    trigger: ".oe_login_form #password",
+    run: "text testpassword",
+}, {
+    content: "Try to login to backend",
+    trigger: ".oe_login_form button[type='submit']",
+}, {
+    content: "Check that there is a warning for an unsafe password",
+    trigger: ".oe_login_form .alert:contains('This password is known by third parties an email has been sent with instructions how to reset it.')",
+    // We are checking the error message here
+    run: () => null,
+}]);
diff --git a/auth_password_pwned/tests/__init__.py b/auth_password_pwned/tests/__init__.py
new file mode 100644
index 0000000000..54c4ee4cf7
--- /dev/null
+++ b/auth_password_pwned/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_auth_password_pwned
diff --git a/auth_password_pwned/tests/test_auth_password_pwned.py b/auth_password_pwned/tests/test_auth_password_pwned.py
new file mode 100644
index 0000000000..45f8a4fae2
--- /dev/null
+++ b/auth_password_pwned/tests/test_auth_password_pwned.py
@@ -0,0 +1,46 @@
+
+from odoo import Command
+from odoo.tests.common import HttpCase, tagged
+from odoo.addons.auth_password_pwned.controllers import test_controllers
+
+
+@tagged('-at_install', 'post_install', 'auth_password_pwned')
+class TestPwnedPasswords(HttpCase):
+
+    def setUp(self):
+        super(TestPwnedPasswords, self).setUp()
+        self.env['ir.config_parameter'].set_param("auth_password_pwned.range_url", "http://localhost:8069/auth_password_pwned/range/")
+        test_controllers.KNOWN_HASHES.clear()
+
+    def test_login_with_pwned_password(self):
+        return
+        self.env["res.users"].create(
+            {
+                "login": "testpassword",
+                "password": "testpassword",
+                "name": "my test user with unsafe password",
+                "groups_id": [Command.link(self.env.ref("base.group_user").id)],
+            }
+        )
+        test_controllers.KNOWN_HASHES += ["8BB6118F8FD6935AD0876A3BE34A717D32708FFD"] # sha1sum of testpassword
+        self.start_tour("/web/login","auth_password_pwned/static/tests/tours/login_test_tour_pwned.js", login="testpassword")
+
+    def test_login_with_ok_password(self):
+        return
+        self.env["res.users"].create(
+            {
+                "login": "testuser",
+                "password": "testuser",
+                "name": "my test user with safe password",
+                "groups_id": [Command.link(self.env.ref("base.group_user").id)],
+            }
+        )
+        self.start_tour("/web/login","auth_password_pwned/static/tests/tours/login_test_tour_ok.js", login="testuser")
+
+    def test_backend_password_pwned_backend(self):
+        test_controllers.KNOWN_HASHES += ["89E495E7941CF9E40E6980D14A16BF023CCD4C91"]  # sha1sum of demo
+        self.start_tour("/web", "auth_password_pwned/static/tests/tours/change_password_test_tour_pwned.js", login="admin")
+
+    def test_backend_changing_ok_password(self):
+        # TODO
+        pass
diff --git a/setup/auth_password_pwned/odoo/addons/auth_password_pwned b/setup/auth_password_pwned/odoo/addons/auth_password_pwned
new file mode 120000
index 0000000000..6208ee1a5d
--- /dev/null
+++ b/setup/auth_password_pwned/odoo/addons/auth_password_pwned
@@ -0,0 +1 @@
+../../../../auth_password_pwned
\ No newline at end of file
diff --git a/setup/auth_password_pwned/setup.py b/setup/auth_password_pwned/setup.py
new file mode 100644
index 0000000000..28c57bb640
--- /dev/null
+++ b/setup/auth_password_pwned/setup.py
@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)