Submitting the password to an api hosted externally

[shivi1809]

The app appears to submit the PW to an api hosted externally, and without this validation it appears to pass all passwords as correct (even if listed in the block list) When the API was blocked by the firewall it started to fail in this way. this aspect was not listed in any documentation so was missed in vetting initially but picked up in testing. We picked this up in our internal testing. This destroys the entire purpose of using password filter in an organization for security. No one wants to send there passwords outside. Is it intentional? Is there any work around?