Extra credit

You could add a call to the Have I Been Pwned API to discourage users from using common passwords.

Hint: I implemented this in the hibp tag in the repo.

I've used Gideon le Grange's HIBP client library, and implemented most of the code in the WebController.

Code Changes:

WebSecurityConfig - create a new factory method for creating instances of the HIBP client. (Finished code)
WebController - use the HIBP client in the registerNewUser method to reject registration if the password is known to have been pwned.
- Finished code - new private method
- Finished code - using the method in the controller