diff --git a/lam/HISTORY b/lam/HISTORY
index de8adc19..dbc8a913 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -1,3 +1,7 @@
+June 2018
+  - Passwords can be checked against external service (e.g. https://api.pwnedpasswords.com/range)
+
+
 19.03.2018 6.3
   - Server profile: added option if referential integrity overlay is active to skip cleanup actions
   - Unix: several options are now specific to subaccount types (reconfiguration required!)
diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml
index 3b539b36..c1b5fe17 100644
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@@ -151,6 +151,43 @@
 
       <para>You can set the minimum password length and also the complexity of
       the passwords.</para>
+
+      <para><emphasis role="bold">External password check</emphasis></para>
+
+      <para>Please note that this option is only displayed if you have
+      installed the PHP Curl extension for your web server.</para>
+
+      <para>This will validate passwords using an external service. LAM
+      supports the protocol used by <ulink
+      url="https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange">Have
+      I been Pwned</ulink>. You can use the service directly or setup any
+      custom service with the same API. If the service reports an error LAM
+      will log an error message and the password will be accepted.</para>
+
+      <para>Example URL:
+      https://api.pwnedpasswords.com/range/{SHA1PREFIX}</para>
+
+      <para>LAM will build a SHA1 hash of the password and send parts of it to
+      the service.</para>
+
+      <para>The configured URL must contain the wildcard "{SHA1PREFIX}" which
+      will be replaced with the 5 character hash prefix. The service must then
+      return a list of text lines in the format "&lt;hash
+      suffix&gt;:&lt;number&gt;".</para>
+
+      <para>"&lt;hash suffix&gt;" needs to be the suffix of a known insecure
+      password. The "&lt;number&gt;" can be any numeric value and will be
+      ignored by LAM.</para>
+
+      <para>Example:</para>
+
+      <para>Password hash: 21BD10018A45C4D1DEF81644B54AB7F969B88D65</para>
+
+      <para>Hash prefix sent to service: 21BD1</para>
+
+      <para>Returned line: 0018A45C4D1DEF81644B54AB7F969B88D65:1</para>
+
+      <para>This will reject the password.</para>
     </section>
 
     <section id="conf_logging">
diff --git a/lam/docs/manual-sources/chapter-installation.xml b/lam/docs/manual-sources/chapter-installation.xml
index fdce108f..bb8116f1 100644
--- a/lam/docs/manual-sources/chapter-installation.xml
+++ b/lam/docs/manual-sources/chapter-installation.xml
@@ -574,6 +574,12 @@
       version. Unless explicitly noticed there is no need to install an
       intermediate release.</para>
 
+      <section>
+        <title>6.3 -&gt; 6.4</title>
+
+        <para>No actions needed.</para>
+      </section>
+
       <section>
         <title>6.2 -&gt; 6.3</title>
 
diff --git a/lam/docs/manual-sources/images/configGeneral1.png b/lam/docs/manual-sources/images/configGeneral1.png
index 121da807..6b62b70d 100644
Binary files a/lam/docs/manual-sources/images/configGeneral1.png and b/lam/docs/manual-sources/images/configGeneral1.png differ
diff --git a/lam/docs/manual-sources/images/configGeneral2.png b/lam/docs/manual-sources/images/configGeneral2.png
index c79ac2f5..dbb642a5 100644
Binary files a/lam/docs/manual-sources/images/configGeneral2.png and b/lam/docs/manual-sources/images/configGeneral2.png differ
diff --git a/lam/docs/manual-sources/images/configGeneral3.png b/lam/docs/manual-sources/images/configGeneral3.png
index 31cb39a3..ec3f29bc 100644
Binary files a/lam/docs/manual-sources/images/configGeneral3.png and b/lam/docs/manual-sources/images/configGeneral3.png differ
diff --git a/lam/docs/manual-sources/images/configGeneral4.png b/lam/docs/manual-sources/images/configGeneral4.png
index dae51824..759f9c3d 100644
Binary files a/lam/docs/manual-sources/images/configGeneral4.png and b/lam/docs/manual-sources/images/configGeneral4.png differ
diff --git a/lam/docs/manual-sources/images/configGeneral5.png b/lam/docs/manual-sources/images/configGeneral5.png
index 762bd1cc..4a5ae908 100644
Binary files a/lam/docs/manual-sources/images/configGeneral5.png and b/lam/docs/manual-sources/images/configGeneral5.png differ
diff --git a/lam/docs/manual-sources/images/configGeneral6.png b/lam/docs/manual-sources/images/configGeneral6.png
index 65cc8b81..65f311ec 100644
Binary files a/lam/docs/manual-sources/images/configGeneral6.png and b/lam/docs/manual-sources/images/configGeneral6.png differ
diff --git a/lam/docs/manual-sources/images/configGeneral7.png b/lam/docs/manual-sources/images/configGeneral7.png
index a06c3241..dd4e1869 100644
Binary files a/lam/docs/manual-sources/images/configGeneral7.png and b/lam/docs/manual-sources/images/configGeneral7.png differ
diff --git a/lam/help/help.inc b/lam/help/help.inc
index 9cd82dd9..73db1ccf 100644
--- a/lam/help/help.inc
+++ b/lam/help/help.inc
@@ -172,7 +172,7 @@ $helpArray = array (
 				"248" => array ("Headline" => _('Password must not contain part of user/first/last name'),
 					"Text" => _('Specifies if the password must not contain 3 or more characters of the user/first/last name.')),
 				"249" => array ("Headline" => _('External password check'),
-					"Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check and the severity if the check fails.')),
+					"Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check.')),
 				"250" => array ("Headline" => _("Filter"),
 					"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
 				"260" => array ("Headline" => _("Additional LDAP filter"),