diff --git a/src/Squidex.Domain.Users/PwnedPasswordValidator.cs b/src/Squidex.Domain.Users/PwnedPasswordValidator.cs
new file mode 100644
index 000000000..44087694c
--- /dev/null
+++ b/src/Squidex.Domain.Users/PwnedPasswordValidator.cs
@@ -0,0 +1,55 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
+using SharpPwned.NET;
+using Squidex.Infrastructure;
+using Squidex.Infrastructure.Log;
+using Squidex.Shared.Users;
+
+namespace Squidex.Domain.Users
+{
+    public sealed class PwnedPasswordValidator : IPasswordValidator<IUser>
+    {
+        private const string ErrorCode = "PwnedError";
+        private const string ErrorText = "This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it!";
+        private static readonly IdentityResult Error = IdentityResult.Failed(new IdentityError { Code = ErrorCode, Description = ErrorText });
+
+        private readonly HaveIBeenPwnedRestClient client = new HaveIBeenPwnedRestClient();
+        private readonly ISemanticLog log;
+
+        public PwnedPasswordValidator(ISemanticLog log)
+        {
+            Guard.NotNull(log, nameof(log));
+
+            this.log = log;
+        }
+
+        public async Task<IdentityResult> ValidateAsync(UserManager<IUser> manager, IUser user, string password)
+        {
+            try
+            {
+                var isBreached = await client.IsPasswordPwned(password);
+
+                if (isBreached)
+                {
+                    return Error;
+                }
+            }
+            catch (Exception ex)
+            {
+                log.LogError(ex, w => w
+                    .WriteProperty("operation", "CheckPasswordPwned")
+                    .WriteProperty("status", "Failed"));
+            }
+
+            return IdentityResult.Success;
+        }
+    }
+}
diff --git a/src/Squidex.Domain.Users/Squidex.Domain.Users.csproj b/src/Squidex.Domain.Users/Squidex.Domain.Users.csproj
index 0ca9385ae..718734926 100644
--- a/src/Squidex.Domain.Users/Squidex.Domain.Users.csproj
+++ b/src/Squidex.Domain.Users/Squidex.Domain.Users.csproj
@@ -14,6 +14,7 @@
     <PackageReference Include="Microsoft.AspNetCore.Identity" Version="2.0.2" />
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0" />
     <PackageReference Include="RefactoringEssentials" Version="5.6.0" />
+    <PackageReference Include="SharpPwned.NET" Version="1.0.2" />
     <PackageReference Include="StyleCop.Analyzers" Version="1.0.2" />
     <PackageReference Include="System.Linq.Queryable" Version="4.3.0" />
     <PackageReference Include="System.Security.Principal.Windows" Version="4.4.1" />
diff --git a/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs b/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
index 3d3f3258e..439522fde 100644
--- a/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
+++ b/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
@@ -57,6 +57,8 @@ namespace Squidex.Areas.IdentityServer.Config
 
             services.AddIdentity<IUser, IRole>()
                 .AddDefaultTokenProviders();
+            services.AddSingleton<IPasswordValidator<IUser>,
+                PwnedPasswordValidator>();
             services.AddSingleton<IUserClaimsPrincipalFactory<IUser>,
                 UserClaimsPrincipalFactoryWithEmail>();
             services.AddSingleton<IClientStore,
diff --git a/src/Squidex/app-config/karma.coverage.conf.js b/src/Squidex/app-config/karma.coverage.conf.js
index 6ee5490b3..14e55e51b 100644
--- a/src/Squidex/app-config/karma.coverage.conf.js
+++ b/src/Squidex/app-config/karma.coverage.conf.js
@@ -67,9 +67,9 @@ module.exports = function (config) {
 
         customLaunchers: {
             ChromeCustom: {
-              base: 'ChromeHeadless',
-              // We must disable the Chrome sandbox (Chrome's sandbox needs more permissions than Docker allows by default)
-              flags: ['--no-sandbox']
+			    base: 'ChromeHeadless',
+                // We must disable the Chrome sandbox (Chrome's sandbox needs more permissions than Docker allows by default)
+                flags: ['--no-sandbox']
             }
           },
 
diff --git a/src/Squidex/app-config/webpack.config.js b/src/Squidex/app-config/webpack.config.js
index f21d7acd8..f78e351eb 100644
--- a/src/Squidex/app-config/webpack.config.js
+++ b/src/Squidex/app-config/webpack.config.js
@@ -47,7 +47,7 @@ module.exports = {
         rules: [{
             test: /\.mjs$/,
             type: "javascript/auto",
-            include: /node_modules/,
+            include: [/node_modules/],
           },{
             test: /\.ts$/,
             use: [{
@@ -59,19 +59,19 @@ module.exports = {
             }, {
                 loader: 'tslint-loader'
             }],
-            exclude: /node_modules/
+            exclude: [/node_modules/]
         }, {
             test: /\.ts$/,
             use: [{
                 loader: 'awesome-typescript-loader'
             }],
-            include: /node_modules/
+            include: [/node_modules/]
         }, {
             test: /\.js\.flow$/,
             use: [{
                 loader: 'ignore-loader'
             }],
-            include: /node_modules/
+            include: [/node_modules/]
         }, {
             test: /\.html$/,
             use: [{
diff --git a/src/Squidex/app-config/webpack.test.coverage.js b/src/Squidex/app-config/webpack.test.coverage.js
index 227874829..f91362c67 100644
--- a/src/Squidex/app-config/webpack.test.coverage.js
+++ b/src/Squidex/app-config/webpack.test.coverage.js
@@ -30,7 +30,9 @@ module.exports = webpackMerge(testConfig, {
                 loader: 'angular-router-loader'
             }, {
                 loader: 'angular2-template-loader'
-            }],
+            }, {
+				loader: 'tslint-loader' 
+			}],
             exclude: [/\.(e2e|spec)\.ts$/]
         }]
     }