For more information on WordPress roles and capabilities, please see the Roles and Capabilities article in the WordPress Codex.
Force Password Change
Clicking the Force Password Change button will require all of your users to reset their password the next time they log into your site.
With this feature, you can enforce users to use strong passwords based on their user role.
You can also choose to force a periodic password change and even set the number of days a password can be in use before requiring a new one.
It’s a best practice to change passwords every 120 days, or 4 months.
Warning: If your site invites public registrations, setting the role too low may annoy your members.
The Password Expiration setting will force your users to reset their password at a fixed interval which you determine. You can determine which user roles this is applied to.
Refuse Compromised Passwords
With the Refuse Compromised Passwords feature enabled, the passwords that your users create will be checked against a list of known compromised passwords. If the password is shown to have been compromised, they will not be allowed to use that password and will have to create another. You can determine the user roles this applies to.
After the Refuse Compromised Passwords setting has been enabled, users who attempt to log in with a compromised password will see this notice on their WordPress login screen, prompting them to update their password using a strong password generator.
Once the password has been updated, the user can now successfully log in using a secure password.
Note: Passwords are checked against the list created by Have I Been Pwned. Plaintext passwords are never sent to Have I Been Pwned. Instead, 5 characters of the hashed password are sent over an encrypted connection to their API. Read the technical details here.