Common password validator

[jace]

In addition to #15's requirement for a password strength validator, we should use a common password validator to prevent using simple passwords. The berzerk0/Probable-Wordlists repo has multiple wordlists from leaked passwords across services. By creating a bloom filter from these, we can do a two-pass validator:

1. Test against the bloom filter in-process in a password validator. This is a lightweight lookup but may have false positive matches.
2. If matching, test against an indexed wordlist, possibly with the index stored in a database.