I do a lot of work in the "Identity" space, but I am for sure not the smartest guy in the room. I have a good understanding of how to program against token issuers and I understand the authentication/authorization concepts. But, there is more to Identity that just that.
One of the very smartest people is Troy Hunt. Mr. Hunt runs a website that can be used to see if a password breach contained your email. The Have I been pwned site is a fantastic tool for keeping your digital security in good shape.
There is a new service available from Have I been pwned that provides hashed versions of the ~306M passwords in the breach database. Mr. Hunt has a detailed explanation in his post Introducing 306 Million Freely Downloadable Pwned Passwords.
If you are involved in creating a website in which users log in, you should read this post and all the sources cited in it. Or, follow my advice -- DON'T WRITE CODE TO STORE AND VALIDATE CREDENTIALS!
I always recommend Azure Active Directory and its B2B and B2C features. Of course, there are other providers as well. And I would bet that they also have full-time staff to harden the service, keeping customers safe. Do you have that kind of resource?