@cyb3rops
You don't, you assume the password is shit and so you enforce other controls including MFA, impossible travel, anomaly detection, device posturing etc. You can explicitly blacklist any passwords that are known to have appeared in breaches via haveibeenpwned integration etc.