Why would one send their users passwords over an relatively insecure HTTPS connection to a third party API? I like increased security but this makes no sense. We don't know who controls the API and if they log the sent passwords.
Am I missing something? Even if its hashed, it doesn't worth the risk.
If the password library was downloaded it would be good. Otherwise not.
Have you thought about that Chris?